About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

How We Gained Full Access to a $100M Zero-Trust Setup - 1709

How We Gained Full Access to a $100M Zero-Trust Setup Posted 7 Months Ago
  • The cloud environment had an API for generating API keys. This had a CSRF vulnerability, mainly because it used a GET request to create the API keys. This ALSO worked with the admin user. By itself, this doesn't have much impact, though.
  • Upon looking deeper into the application, they realized that CORS was misconfigured. In this case, the origin was simply reflected, and credentials were sent. The combination of these two meant that the generated key from above could be stolen. Pretty good impact!
  • The application had a super simple proxy feature with no input validation. Using this method, it was possible to call the AWS metadata endpoint to steal AWS credentials. With the credentials, they decided to figure out what the API had access to.
  • While describing the other EC2 instances, they found passwords in plaintext but I'm unsure what fields these were in. One of the credentials allowed for admin access, allowing for privilege escalation to the AWS Administrator.
  • Overall, a group of super serious bugs leads to complete compromise. This is why defense-in-depth is so essential!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed