new posts

This commit is contained in:
casual 2024-09-04 02:24:52 +03:00
parent e27bbe3424
commit 07f3dc9943
6 changed files with 206 additions and 44 deletions

View File

@ -1,6 +1,6 @@
+++ +++
title = 'HowTo Bash ReverseShell' title = 'HowTo Bash ReverseShell'
date = 2024-09-04 date = 2024-09-11
+++ +++
Listener - `nc -l 8081` Listener - `nc -l 8081`

View File

@ -1,6 +1,6 @@
+++ +++
title = 'HowTo CRLF' title = 'HowTo CRLF'
date = 2024-09-18 date = 2024-09-25
+++ +++

View File

@ -1,10 +1,8 @@
+++ +++
title = 'HowTo hack S3' title = 'HowTo Hack S3'
date = 2024-09-25 date = 2024-09-04
draft = true
+++ +++
TODO ME
## What is S3? ## What is S3?
@ -12,60 +10,129 @@ TODO ME
S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content. S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content.
S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3. S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers:
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
S3 have "buckets" - container/folder for files. S3 have "buckets" - container/folder for files.
### Technical ### Technical
Interaction with S3 happens via RESTful API (`aws s3`). Interaction with S3 happens via RESTful API (via `awscli`).
Each bucket have its own settings: Each bucket have its own settings:
- Region - each bucket is created in specific AWS region (for performance) - e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png` - Region - each bucket is created in specific AWS region (for performance) -
e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`
or (depricated) `https://s3.amazonaws.com/[region]/[bucket_name]/`
or "dual-stack" (with IPv6 address):
`bucketname.s3.dualstack.aws-region.amazonaws.com`
`s3.dualstack.aws-region.amazonaws.com/bucketname`
- Name - each name should be unique across all AWS regions - Name - each name should be unique across all AWS regions
- Storage class - how fast data can be accessed
- Lifecycle management - data can automatically be deleted or transfered to cheaper storage
- Versioning - S3 can keep snapshots of data - Versioning - S3 can keep snapshots of data
- Logging/monitoring - Logging/monitoring - disabled by default
- Access control - the most interesting part for us. S3 have **public** and **private** buckets: - Access control - the most interesting part for us. S3 have **public** and **private** buckets:
- In public bucket - any user can list content - In public (or open) bucket - any user can list content
- In private bucket - you should have credentials which have access to specific file - In private bucket - you should have credentials which have access to specific file
<!-- - Storage class - how fast data can be accessed -->
<!-- - Lifecycle management - data can automatically be deleted or transfered to cheaper storage -->
## Recon ## Recon
### Find bucket endpoint ### Find bucket endpoint
1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) <!-- 1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) -->
2. [Spider](/hidden/todo/) site - `katana -js` 1. [Crawl](/hacking/howto_crawl/) site - `katana -js -u SITE`
3. Search 1. Search in crawl results `.*s3.*amazonaws.com`
1. Check for CNAMEs for domains in crawl results `resources.domain.com -> bucket.s3.amazonaws.com`
1. Check [list of discovered buckets](https://buckets.grayhatwarfare.com), it may have your bucket.
1. [Bruteforce bucket name](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#brute-force) by [creating custom wordlist](http://localhost:1313/hacking/howto_customize_wordlist/) per domain
### Find credentials ### Find credentials
We will try to find S3 bucket credentials with OSINT.
1. Use Google Dorks
1. Check git public repos of company
1. Check git repos of employees
If you have access to Google Custom Search Engine:
- https://github.com/carlospolop/gorks
- https://github.com/carlospolop/pastos
and check https://github.com/carlospolop/leakos
## Enumerate ## Enumerate
Automatically: ### Automatically
https://github.com/sa7mon/S3Scanner
## Manually connect to S3 Find public buckets in bucket list (or bruteforce bucket name): [S3Scanner](https://github.com/sa7mon/S3Scanner)
Search for secrets in public bucket: [BucketLoot](https://github.com/redhuntlabs/BucketLoot)
### Manually connect to S3
To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied"
awscli: awscli:
- `aws configure` - write credentials if you have them
otherwise try with [valid S3 account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#cross-account-attacks) without access
- list S3 buckets associated with a profile
`aws s3 ls`
`aws s3api list-buckets`
`aws --endpoint=http://s3.customDomain.com s3 ls` - to use custom domain
- list files - `aws s3 ls s3://bucket `
`--recursive` - list recursively
`--no-sign-request` - check 'Everyone' permissions
`--endpoint` - use custom S3 domain
Additionally:
``` ```
aws configure # list content of bucket (with creds)
*написать что либо, в идеале легальный логин и пароль* aws s3 ls s3://bucket-name
aws --endpoint=http://s3.smth.com s3 ls # list buckets aws s3api list-objects-v2 --bucket <bucket-name>
aws --endpoint=http://s3.smth.com s3 ls s3://smth # list files aws s3api list-objects --bucket <bucket-name>
aws s3 ls s3://whateverbucketname aws s3api list-object-versions --bucket <bucket-name>
aws --endpoint=http://s3.smth.com s3 cp smth s3://smth # upload ```
aws s3 mv Exploit.txt s3://whateverbucketname/ - upload - `aws s3 cp smth s3://smth`
aws --endpoint=http://s3.smth.com s3 cp s3://smth # download ![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.memecreator.org%2Fstatic%2Fimages%2Fmemes%2F5211903.jpg&f=1&nofb=1&ipt=4e060c4e534d29fd7ee6d8eef91064b6e86d55b0750a1b8e41b9ab8827cf768d&ipo=images)
aws s3 cp s3://whateverbucketname/secret.txt - download - `aws s3 cp s3://bucket/secret.txt`
- download whole bucket - `aws s3 sync s3://<bucket>/ .`
- delete - `aws s3 rb s3://bucket-name --force`
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpawelurbanek.com%2Fassets%2Fs3_data_lost-1f25428b7e80c3b337a3c19004370bdca5c2dcc609a438ea5ea684937b20b03a.jpg&f=1&nofb=1&ipt=3243987f15adb705d6975f8f371993819fbba711c4d6a483a5ee3b6d003c79f3&ipo=images)
### Gather info on bucket
- Get buckets ACLs:
```
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api get-object-acl --bucket <bucket-name> --key flag
```
- Get policy:
```
aws s3api get-bucket-policy --bucket <bucket-name>
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public
``` ```
&nbsp;
## Resources [Additional actions to buckets.](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration)
## Additional resources
- [S3 may have additional services that may be vulnurable](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#aws-unauthenticated-enum-and-access)
- [S3 privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc)
- [S3 HTTP Cache Poisoning Issue](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#heading-s3-http-desync-cache-poisoning-issue)
- [Check if email have registered AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#used-emails-as-root-account-enumeration)
- [Get Account ID from public Bucket](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#get-account-id-from-public-bucket)
- [Confirming a bucket belongs to an AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#confirming-a-bucket-belongs-to-an-aws-account)
- [How to make persistent account in S3](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence)
- https://buckets.grayhatwarfare.com, a list with already discovered open buckets.
## Train ## Train
@ -77,8 +144,7 @@ aws s3 cp s3://whateverbucketname/secret.txt
https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2 https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#s3-buckets
https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4 https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4
{{< /source >}} {{< /source >}}

View File

@ -1,6 +1,6 @@
+++ +++
title = 'HowTo learn Social Engineering' title = 'HowTo learn Social Engineering'
date = 2024-09-11 date = 2024-09-18
+++ +++
<!-- TODO xkcd meme --> <!-- TODO xkcd meme -->

View File

@ -1,4 +0,0 @@
[[redirects]]
from = "/*"
to = "/404/"
status = 404

View File

@ -1,8 +1,108 @@
{{ define "main"}} {{ define "main"}}
<main id="main"> <main id="main" tabindex="-1">
<div>
<h1 id="title"><a href="{{ .Site.BaseURL | relLangURL }}">Go Home</a></h1>
Sorry, this Page is not available.
</div> <article class="post h-entry">
</main> <div class="post-header">
<header>
<h1 class="p-name post-title"><a href="/">Error 404</a></h1>
</header>
<meta property="og:url" content="http://localhost:1313/404/">
<meta property="og:site_name" content="Casual Blog">
<meta property="og:title" content="[Error 404](/)">
<meta property="og:description" content="Hi! Sorry but link doesnt exist yet.
It may be still in work or not posted yet.
If this link doesnt work for 1+ weeks, please contact me!">
<meta property="og:locale" content="en_us">
<meta property="og:type" content="article">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="[Error 404](/)">
<meta name="twitter:description" content="Hi! Sorry but link doesnt exist yet.
It may be still in work or not posted yet.
If this link doesnt work for 1+ weeks, please contact me!">
<div class="post-info noselect">
<a class="post-hidden-url u-url" href="http://localhost:1313/404/">http://localhost:1313/404/</a>
<a href="http://localhost:1313/" class="p-name p-author post-hidden-author h-card" rel="me">Casual</a>
<div class="post-taxonomies">
</div>
</div>
</div>
<script>
document.querySelector(".toc").addEventListener("click", function () {
if (event.target.tagName !== "A") {
event.preventDefault();
if (this.open) {
this.open = false;
this.classList.remove("expanded");
} else {
this.open = true;
this.classList.add("expanded");
}
}
});
</script>
<div class="content e-content">
<p>Hi! Sorry but link doesnt exist yet.</p>
<p><img src="https://media1.tenor.com/m/3rAtEcJ09BcAAAAC/cat-loading.gif" alt=""></p>
<!-- TODO download, upscale, host here - https://tenor.com/view/cat-loading-error-gif-19814836-->
<p>It may be still in work or not posted yet.</p>
<p>If this link doesnt work for 1+ weeks, please contact me!</p>
<!-- &nbsp; -->
<!-- &nbsp; -->
<!-- -->
<!-- [Take me home!](/) -->
<!-- thanks https://moonbooth.com/hugo/custom-404/ for guide -->
</div>
</article>
</main>
{{ end }} {{ end }}