diff --git a/content/hacking/HowTo_Bash_reverseShell.md b/content/hacking/HowTo_Bash_reverseShell.md index a4b98cf..94e3458 100644 --- a/content/hacking/HowTo_Bash_reverseShell.md +++ b/content/hacking/HowTo_Bash_reverseShell.md @@ -1,6 +1,6 @@ +++ title = 'HowTo Bash ReverseShell' -date = 2024-09-04 +date = 2024-09-11 +++ Listener - `nc -l 8081` diff --git a/content/hacking/HowTo_CRLF.md b/content/hacking/HowTo_CRLF.md index 771c07e..b7ca9d7 100644 --- a/content/hacking/HowTo_CRLF.md +++ b/content/hacking/HowTo_CRLF.md @@ -1,6 +1,6 @@ +++ title = 'HowTo CRLF' -date = 2024-09-18 +date = 2024-09-25 +++ diff --git a/content/hacking/HowTo_S3.md b/content/hacking/HowTo_S3.md index ada5df7..e116c0f 100644 --- a/content/hacking/HowTo_S3.md +++ b/content/hacking/HowTo_S3.md @@ -1,10 +1,8 @@ +++ -title = 'HowTo hack S3' -date = 2024-09-25 -draft = true +title = 'HowTo Hack S3' +date = 2024-09-04 +++ -TODO ME ## What is S3? @@ -12,60 +10,129 @@ TODO ME S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content. -S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3. +S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers: + - DigitalOcean + - DreamHost + - GCP + - Linode + - Scaleway S3 have "buckets" - container/folder for files. ### Technical -Interaction with S3 happens via RESTful API (`aws s3`). +Interaction with S3 happens via RESTful API (via `awscli`). Each bucket have its own settings: - - Region - each bucket is created in specific AWS region (for performance) - e.g. `https://.s3..amazonaws.com/image.png` + - Region - each bucket is created in specific AWS region (for performance) - + e.g. `https://.s3..amazonaws.com/image.png` + or (depricated) `https://s3.amazonaws.com/[region]/[bucket_name]/` + or "dual-stack" (with IPv6 address): + `bucketname.s3.dualstack.aws-region.amazonaws.com` + `s3.dualstack.aws-region.amazonaws.com/bucketname` - Name - each name should be unique across all AWS regions - - Storage class - how fast data can be accessed - - Lifecycle management - data can automatically be deleted or transfered to cheaper storage - Versioning - S3 can keep snapshots of data - - Logging/monitoring + - Logging/monitoring - disabled by default - Access control - the most interesting part for us. S3 have **public** and **private** buckets: - - In public bucket - any user can list content + - In public (or open) bucket - any user can list content - In private bucket - you should have credentials which have access to specific file - + + ## Recon ### Find bucket endpoint -1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) -2. [Spider](/hidden/todo/) site - `katana -js` -3. Search + +1. [Crawl](/hacking/howto_crawl/) site - `katana -js -u SITE` +1. Search in crawl results `.*s3.*amazonaws.com` +1. Check for CNAMEs for domains in crawl results `resources.domain.com -> bucket.s3.amazonaws.com` +1. Check [list of discovered buckets](https://buckets.grayhatwarfare.com), it may have your bucket. +1. [Bruteforce bucket name](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#brute-force) by [creating custom wordlist](http://localhost:1313/hacking/howto_customize_wordlist/) per domain + ### Find credentials +We will try to find S3 bucket credentials with OSINT. + +1. Use Google Dorks +1. Check git public repos of company +1. Check git repos of employees + +If you have access to Google Custom Search Engine: + - https://github.com/carlospolop/gorks + - https://github.com/carlospolop/pastos + +and check https://github.com/carlospolop/leakos + ## Enumerate -Automatically: -https://github.com/sa7mon/S3Scanner +### Automatically -## Manually connect to S3 +Find public buckets in bucket list (or bruteforce bucket name): [S3Scanner](https://github.com/sa7mon/S3Scanner) +Search for secrets in public bucket: [BucketLoot](https://github.com/redhuntlabs/BucketLoot) + +### Manually connect to S3 + +To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied" awscli: +- `aws configure` - write credentials if you have them +otherwise try with [valid S3 account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#cross-account-attacks) without access + +- list S3 buckets associated with a profile +`aws s3 ls` +`aws s3api list-buckets` + `aws --endpoint=http://s3.customDomain.com s3 ls` - to use custom domain + +- list files - `aws s3 ls s3://bucket ` + `--recursive` - list recursively + `--no-sign-request` - check 'Everyone' permissions + `--endpoint` - use custom S3 domain +Additionally: +``` +# list content of bucket (with creds) +aws s3 ls s3://bucket-name +aws s3api list-objects-v2 --bucket +aws s3api list-objects --bucket +aws s3api list-object-versions --bucket +``` + - upload - `aws s3 cp smth s3://smth` +![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.memecreator.org%2Fstatic%2Fimages%2Fmemes%2F5211903.jpg&f=1&nofb=1&ipt=4e060c4e534d29fd7ee6d8eef91064b6e86d55b0750a1b8e41b9ab8827cf768d&ipo=images) + - download - `aws s3 cp s3://bucket/secret.txt` + - download whole bucket - `aws s3 sync s3:/// .` + - delete - `aws s3 rb s3://bucket-name --force` +![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpawelurbanek.com%2Fassets%2Fs3_data_lost-1f25428b7e80c3b337a3c19004370bdca5c2dcc609a438ea5ea684937b20b03a.jpg&f=1&nofb=1&ipt=3243987f15adb705d6975f8f371993819fbba711c4d6a483a5ee3b6d003c79f3&ipo=images) + +### Gather info on bucket + + +- Get buckets ACLs: ``` -aws configure -*написать что либо, в идеале легальный логин и пароль* -aws --endpoint=http://s3.smth.com s3 ls # list buckets -aws --endpoint=http://s3.smth.com s3 ls s3://smth # list files -aws s3 ls s3://whateverbucketname -aws --endpoint=http://s3.smth.com s3 cp smth s3://smth # upload -aws s3 mv Exploit.txt s3://whateverbucketname/ -aws --endpoint=http://s3.smth.com s3 cp s3://smth # download -aws s3 cp s3://whateverbucketname/secret.txt +aws s3api get-bucket-acl --bucket +aws s3api get-object-acl --bucket --key flag +``` +- Get policy: +``` +aws s3api get-bucket-policy --bucket +aws s3api get-bucket-policy-status --bucket #if it's public + ``` +  + +[Additional actions to buckets.](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration) -## Resources +## Additional resources + + - [S3 may have additional services that may be vulnurable](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#aws-unauthenticated-enum-and-access) + - [S3 privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc) + - [S3 HTTP Cache Poisoning Issue](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#heading-s3-http-desync-cache-poisoning-issue) + - [Check if email have registered AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#used-emails-as-root-account-enumeration) + - [Get Account ID from public Bucket](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#get-account-id-from-public-bucket) + - [Confirming a bucket belongs to an AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#confirming-a-bucket-belongs-to-an-aws-account) + - [How to make persistent account in S3](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence) - - https://buckets.grayhatwarfare.com, a list with already discovered open buckets. ## Train @@ -77,8 +144,7 @@ aws s3 cp s3://whateverbucketname/secret.txt https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2 https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum -https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum +https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum -https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#s3-buckets https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4 {{< /source >}} diff --git a/content/hacking/HowTo_learn_SocialEngineering.md b/content/hacking/HowTo_learn_SocialEngineering.md index f13b93d..f28d4ce 100644 --- a/content/hacking/HowTo_learn_SocialEngineering.md +++ b/content/hacking/HowTo_learn_SocialEngineering.md @@ -1,6 +1,6 @@ +++ title = 'HowTo learn Social Engineering' -date = 2024-09-11 +date = 2024-09-18 +++ diff --git a/netlify.toml b/netlify.toml deleted file mode 100644 index 8fa21c4..0000000 --- a/netlify.toml +++ /dev/null @@ -1,4 +0,0 @@ -[[redirects]] - from = "/*" - to = "/404/" - status = 404 diff --git a/themes/anubis2/layouts/404.html b/themes/anubis2/layouts/404.html index e9fbfa7..1602fdc 100644 --- a/themes/anubis2/layouts/404.html +++ b/themes/anubis2/layouts/404.html @@ -1,8 +1,108 @@ {{ define "main"}} -
-
-

Go Home

- Sorry, this Page is not available. -
-
+
+ + + +
+
+
+

Error 404

+ +
+ + + + + + + + + + + + + + + + + +
+ + + http://localhost:1313/404/ + Casual + + +
+ + + +
+
+ +
+ + + + + + + + + +
+

Hi! Sorry but link doesn’t exist yet.

+

+ +

It may be still in work or not posted yet.

+

If this link doesn’t work for 1+ weeks, please contact me!

+ + + + + + +
+ +
+ + + + + + + + + + + + + + + + + + + + + +
+ {{ end }}