Their environment included custom web applications, serverless functions, and internal operational tooling, a combination creating a wide attack surface with unknown risk. They needed a partner who could think like an adversary and demonstrate actual impact, not theoretical issues.

The assessment began with systematic enumeration of externally exposed services, including custom web applications, API endpoints, and supporting infrastructure accessible over standard and non-standard ports.

During this process, we identified an internal operational web portal that had been inadvertently exposed to the internet through an open port. Further analysis revealed multiple application-layer weaknesses within this portal. By fuzzing available parameters across several API endpoints, we identified a local file-read vulnerability that allowed arbitrary access to files on the underlying host.

Exploitation of this vulnerability enabled the retrieval of sensitive AWS security credentials stored in standard `.aws` configuration locations used by the application. Using the same local file-read vulnerability, we accessed the web service’s source code and determined that the exposed AWS credentials were associated with a highly privileged AWS Lambda function. Invocation of this function allowed us to elevate privileges by granting administrative permissions to our principal.

With administrative privileges established, Fortuna executed AWS API actions as a cloud administrator, including the creation of a new administrative account. This demonstrated a complete end-to-end compromise path, from an external network exposure to full control over the client’s AWS environment.