Casual_blog/content/hacking/HowTo_S3.md

+++
title = 'HowTo Hack S3'
date = 2024-09-04
+++


## What is S3?

### Abstract

S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content.

S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers:
 - DigitalOcean
 - DreamHost
 - GCP
 - Linode
 - Scaleway

S3 have "buckets" - container/folder for files. 

### Technical

Interaction with S3 happens via RESTful API (via `awscli`).

Each bucket have its own settings:
 - Region - each bucket is created in specific AWS region (for performance) - 
 e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`    
 or (depricated) `https://s3.amazonaws.com/[region]/[bucket_name]/`  
 or "dual-stack" (with IPv6 address):  
 `bucketname.s3.dualstack.aws-region.amazonaws.com`  
 `s3.dualstack.aws-region.amazonaws.com/bucketname`
 - Name - each name should be unique across all AWS regions
 - Versioning - S3 can keep snapshots of data
 - Logging/monitoring - disabled by default
 - Access control - the most interesting part for us. S3 have **public** and **private** buckets:
	 -	In public (or open) bucket - any user can list content
	 -	In private bucket - you should have credentials which have access to specific file
  <!-- - Storage class - how fast data can be accessed  -->
 <!-- - Lifecycle management - data can automatically be deleted or transfered to cheaper storage -->

## Recon

### Find bucket endpoint

<!-- 1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) -->
1. [Crawl](/hacking/howto_crawl/) site - `katana -js -u SITE`  
1. Search in crawl results `.*s3.*amazonaws.com`
1. Check for CNAMEs for domains in crawl results `resources.domain.com -> bucket.s3.amazonaws.com`
1. Check [list of discovered buckets](https://buckets.grayhatwarfare.com), it may have your bucket.
1. [Bruteforce bucket name](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#brute-force) by [creating custom wordlist](http://localhost:1313/hacking/howto_customize_wordlist/) per domain
	

### Find credentials

We will try to find S3 bucket credentials with OSINT.

1. Use Google Dorks
1. Check git public repos of company
1. Check git repos of employees

If you have access to Google Custom Search Engine:
 - https://github.com/carlospolop/gorks 
 - https://github.com/carlospolop/pastos   
 
and check https://github.com/carlospolop/leakos 

## Enumerate

### Automatically

Find public buckets in bucket list (or bruteforce bucket name): [S3Scanner](https://github.com/sa7mon/S3Scanner)  
Search for secrets in public bucket: [BucketLoot](https://github.com/redhuntlabs/BucketLoot)

### Manually connect to S3

To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied"

awscli:
- `aws configure` - write credentials if you have them   
otherwise try with [valid S3 account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#cross-account-attacks) without access

- list S3 buckets associated with a profile  
`aws s3 ls`  
`aws s3api list-buckets`  
	`aws --endpoint=http://s3.customDomain.com s3 ls` - to use custom domain

- list files - `aws s3 ls s3://bucket `					  
	 `--recursive` - list recursively  
	 `--no-sign-request` - check 'Everyone' permissions  
	 `--endpoint` - use custom S3 domain
Additionally:
```  
# list content of bucket (with creds)
aws s3 ls s3://bucket-name
aws s3api list-objects-v2 --bucket <bucket-name>
aws s3api list-objects --bucket <bucket-name>
aws s3api list-object-versions --bucket <bucket-name>
```  
 -  upload - `aws s3 cp smth s3://smth`
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.memecreator.org%2Fstatic%2Fimages%2Fmemes%2F5211903.jpg&f=1&nofb=1&ipt=4e060c4e534d29fd7ee6d8eef91064b6e86d55b0750a1b8e41b9ab8827cf768d&ipo=images)
 -  download - `aws s3 cp s3://bucket/secret.txt`
 -  download whole bucket - `aws s3 sync s3://<bucket>/ .`
 -  delete - `aws s3 rb s3://bucket-name --force`	
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpawelurbanek.com%2Fassets%2Fs3_data_lost-1f25428b7e80c3b337a3c19004370bdca5c2dcc609a438ea5ea684937b20b03a.jpg&f=1&nofb=1&ipt=3243987f15adb705d6975f8f371993819fbba711c4d6a483a5ee3b6d003c79f3&ipo=images)

### Gather info on bucket


- Get buckets ACLs:
```
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api get-object-acl --bucket <bucket-name> --key flag
```
- Get policy:
```
aws s3api get-bucket-policy --bucket <bucket-name>
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public

```

&nbsp; 
   
[Additional actions to buckets.](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration)

## Additional resources

 - [S3 may have additional services that may be vulnurable](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#aws-unauthenticated-enum-and-access)
 - [S3 privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc)
 - [S3 HTTP Cache Poisoning Issue](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#heading-s3-http-desync-cache-poisoning-issue)
 - [Check if email have registered AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#used-emails-as-root-account-enumeration)
 - [Get Account ID from public Bucket](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#get-account-id-from-public-bucket)
 - [Confirming a bucket belongs to an AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#confirming-a-bucket-belongs-to-an-aws-account)
 - [How to make persistent account in S3](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence)  


## Train

 - http://flaws.cloud/

 - http://flaws2.cloud/

{{< source >}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4
{{< /source >}}
test custom 404 2024-09-03 19:36:04 +00:00			`+++`
new posts 2024-09-03 23:24:52 +00:00			`title = 'HowTo Hack S3'`
			`date = 2024-09-04`
test custom 404 2024-09-03 19:36:04 +00:00			`+++`


			`## What is S3?`

			`### Abstract`

			`S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for storing and retrieving large files. E.g. backups, archives, big data analytics, content distribution, and static website content.`

new posts 2024-09-03 23:24:52 +00:00			`S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers:`
			`- DigitalOcean`
			`- DreamHost`
			`- GCP`
			`- Linode`
			`- Scaleway`
test custom 404 2024-09-03 19:36:04 +00:00
			`S3 have "buckets" - container/folder for files.`

			`### Technical`

new posts 2024-09-03 23:24:52 +00:00			Interaction with S3 happens via RESTful API (via `awscli`).
test custom 404 2024-09-03 19:36:04 +00:00
			`Each bucket have its own settings:`
new posts 2024-09-03 23:24:52 +00:00			`- Region - each bucket is created in specific AWS region (for performance) -`
			e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`
			or (depricated) `https://s3.amazonaws.com/[region]/[bucket_name]/`
			`or "dual-stack" (with IPv6 address):`
			`bucketname.s3.dualstack.aws-region.amazonaws.com`
			`s3.dualstack.aws-region.amazonaws.com/bucketname`
test custom 404 2024-09-03 19:36:04 +00:00			`- Name - each name should be unique across all AWS regions`
			`- Versioning - S3 can keep snapshots of data`
new posts 2024-09-03 23:24:52 +00:00			`- Logging/monitoring - disabled by default`
test custom 404 2024-09-03 19:36:04 +00:00			`- Access control - the most interesting part for us. S3 have public and private buckets:`
new posts 2024-09-03 23:24:52 +00:00			`- In public (or open) bucket - any user can list content`
test custom 404 2024-09-03 19:36:04 +00:00			`- In private bucket - you should have credentials which have access to specific file`
new posts 2024-09-03 23:24:52 +00:00			`<!-- - Storage class - how fast data can be accessed -->`
			`<!-- - Lifecycle management - data can automatically be deleted or transfered to cheaper storage -->`
test custom 404 2024-09-03 19:36:04 +00:00
			`## Recon`

			`### Find bucket endpoint`

new posts 2024-09-03 23:24:52 +00:00			`<!-- 1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) -->`
			1. [Crawl](/hacking/howto_crawl/) site - `katana -js -u SITE`
			1. Search in crawl results `.s3.amazonaws.com`
			1. Check for CNAMEs for domains in crawl results `resources.domain.com -> bucket.s3.amazonaws.com`
			`1. Check [list of discovered buckets](https://buckets.grayhatwarfare.com), it may have your bucket.`
			`1. [Bruteforce bucket name](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#brute-force) by [creating custom wordlist](http://localhost:1313/hacking/howto_customize_wordlist/) per domain`

test custom 404 2024-09-03 19:36:04 +00:00
			`### Find credentials`

new posts 2024-09-03 23:24:52 +00:00			`We will try to find S3 bucket credentials with OSINT.`

			`1. Use Google Dorks`
			`1. Check git public repos of company`
			`1. Check git repos of employees`

			`If you have access to Google Custom Search Engine:`
			`- https://github.com/carlospolop/gorks`
			`- https://github.com/carlospolop/pastos`

			`and check https://github.com/carlospolop/leakos`

test custom 404 2024-09-03 19:36:04 +00:00			`## Enumerate`

new posts 2024-09-03 23:24:52 +00:00			`### Automatically`

			`Find public buckets in bucket list (or bruteforce bucket name): [S3Scanner](https://github.com/sa7mon/S3Scanner)`
			`Search for secrets in public bucket: [BucketLoot](https://github.com/redhuntlabs/BucketLoot)`
test custom 404 2024-09-03 19:36:04 +00:00
new posts 2024-09-03 23:24:52 +00:00			`### Manually connect to S3`

			`To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied"`
test custom 404 2024-09-03 19:36:04 +00:00
			`awscli:`
new posts 2024-09-03 23:24:52 +00:00			- `aws configure` - write credentials if you have them
			`otherwise try with [valid S3 account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#cross-account-attacks) without access`

			`- list S3 buckets associated with a profile`
			`aws s3 ls`
			`aws s3api list-buckets`
			`aws --endpoint=http://s3.customDomain.com s3 ls` - to use custom domain

			- list files - `aws s3 ls s3://bucket `
			`--recursive` - list recursively
			`--no-sign-request` - check 'Everyone' permissions
			`--endpoint` - use custom S3 domain
			`Additionally:`
			```
			`# list content of bucket (with creds)`
			`aws s3 ls s3://bucket-name`
			`aws s3api list-objects-v2 --bucket <bucket-name>`
			`aws s3api list-objects --bucket <bucket-name>`
			`aws s3api list-object-versions --bucket <bucket-name>`
			```
			- upload - `aws s3 cp smth s3://smth`
			`![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.memecreator.org%2Fstatic%2Fimages%2Fmemes%2F5211903.jpg&f=1&nofb=1&ipt=4e060c4e534d29fd7ee6d8eef91064b6e86d55b0750a1b8e41b9ab8827cf768d&ipo=images)`
			- download - `aws s3 cp s3://bucket/secret.txt`
			- download whole bucket - `aws s3 sync s3://<bucket>/ .`
			- delete - `aws s3 rb s3://bucket-name --force`
			`![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpawelurbanek.com%2Fassets%2Fs3_data_lost-1f25428b7e80c3b337a3c19004370bdca5c2dcc609a438ea5ea684937b20b03a.jpg&f=1&nofb=1&ipt=3243987f15adb705d6975f8f371993819fbba711c4d6a483a5ee3b6d003c79f3&ipo=images)`

			`### Gather info on bucket`


			`- Get buckets ACLs:`
			```
			`aws s3api get-bucket-acl --bucket <bucket-name>`
			`aws s3api get-object-acl --bucket <bucket-name> --key flag`
test custom 404 2024-09-03 19:36:04 +00:00			```
new posts 2024-09-03 23:24:52 +00:00			`- Get policy:`
test custom 404 2024-09-03 19:36:04 +00:00			```
new posts 2024-09-03 23:24:52 +00:00			`aws s3api get-bucket-policy --bucket <bucket-name>`
			`aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public`

			```

			` `

			`[Additional actions to buckets.](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration)`
test custom 404 2024-09-03 19:36:04 +00:00
new posts 2024-09-03 23:24:52 +00:00			`## Additional resources`
test custom 404 2024-09-03 19:36:04 +00:00
new posts 2024-09-03 23:24:52 +00:00			`- [S3 may have additional services that may be vulnurable](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#aws-unauthenticated-enum-and-access)`
			`- [S3 privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc)`
			`- [S3 HTTP Cache Poisoning Issue](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#heading-s3-http-desync-cache-poisoning-issue)`
			`- [Check if email have registered AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#used-emails-as-root-account-enumeration)`
			`- [Get Account ID from public Bucket](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#get-account-id-from-public-bucket)`
			`- [Confirming a bucket belongs to an AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#confirming-a-bucket-belongs-to-an-aws-account)`
			`- [How to make persistent account in S3](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence)`
test custom 404 2024-09-03 19:36:04 +00:00

			`## Train`

			`- http://flaws.cloud/`

			`- http://flaws2.cloud/`

			`{{< source >}}`
			`https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2`
			`https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence`
			`https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum`
new posts 2024-09-03 23:24:52 +00:00			`https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access`
test custom 404 2024-09-03 19:36:04 +00:00			`https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum`
			`https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4`
			`{{< /source >}}`