new posts

content/hacking/HowTo_Bash_reverseShell.md

@@ -1,6 +1,6 @@
 +++
 title = 'HowTo Bash ReverseShell'
-date = 2024-09-04
+date = 2024-09-11
 +++
 
 Listener - `nc -l 8081`

content/hacking/HowTo_CRLF.md

@@ -1,6 +1,6 @@
 +++
 title = 'HowTo CRLF'
-date = 2024-09-18
+date = 2024-09-25
 +++
 
 

content/hacking/HowTo_S3.md

@@ -1,10 +1,8 @@
 +++
-title = 'HowTo hack S3'
-date = 2024-09-25
-draft = true
+title = 'HowTo Hack S3'
+date = 2024-09-04
 +++
 
-TODO ME
 
 ## What is S3?
 
@@ -12,60 +10,129 @@ TODO ME
 
 S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content.
 
-S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3.
+S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers:
+ - DigitalOcean
+ - DreamHost
+ - GCP
+ - Linode
+ - Scaleway
 
 S3 have "buckets" - container/folder for files. 
 
 ### Technical
 
-Interaction with S3 happens via RESTful API (`aws s3`).
+Interaction with S3 happens via RESTful API (via `awscli`).
 
 Each bucket have its own settings:
- - Region - each bucket is created in specific AWS region (for performance) - e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`
+ - Region - each bucket is created in specific AWS region (for performance) - 
+ e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`    
+ or (depricated) `https://s3.amazonaws.com/[region]/[bucket_name]/`  
+ or "dual-stack" (with IPv6 address):  
+ `bucketname.s3.dualstack.aws-region.amazonaws.com`  
+ `s3.dualstack.aws-region.amazonaws.com/bucketname`
  - Name - each name should be unique across all AWS regions
- - Storage class - how fast data can be accessed 
- - Lifecycle management - data can automatically be deleted or transfered to cheaper storage
  - Versioning - S3 can keep snapshots of data
- - Logging/monitoring
+ - Logging/monitoring - disabled by default
  - Access control - the most interesting part for us. S3 have **public** and **private** buckets:
-	 -	In public bucket - any user can list content
+	 -	In public (or open) bucket - any user can list content
 	 -	In private bucket - you should have credentials which have access to specific file
- 
+  <!-- - Storage class - how fast data can be accessed  -->
+ <!-- - Lifecycle management - data can automatically be deleted or transfered to cheaper storage -->
 
 ## Recon
 
 ### Find bucket endpoint
 
-1. Try [Wappalyzer](https://www.wappalyzer.com/apps/)
-2. [Spider](/hidden/todo/) site - `katana -js`
-3. Search 
+<!-- 1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) -->
+1. [Crawl](/hacking/howto_crawl/) site - `katana -js -u SITE`  
+1. Search in crawl results `.*s3.*amazonaws.com`
+1. Check for CNAMEs for domains in crawl results `resources.domain.com -> bucket.s3.amazonaws.com`
+1. Check [list of discovered buckets](https://buckets.grayhatwarfare.com), it may have your bucket.
+1. [Bruteforce bucket name](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#brute-force) by [creating custom wordlist](http://localhost:1313/hacking/howto_customize_wordlist/) per domain
+	
 
 ### Find credentials
 
+We will try to find S3 bucket credentials with OSINT.
+
+1. Use Google Dorks
+1. Check git public repos of company
+1. Check git repos of employees
+
+If you have access to Google Custom Search Engine:
+ - https://github.com/carlospolop/gorks 
+ - https://github.com/carlospolop/pastos   
+ 
+and check https://github.com/carlospolop/leakos 
+
 ## Enumerate
 
-Automatically:
-https://github.com/sa7mon/S3Scanner
+### Automatically
 
-## Manually connect to S3
+Find public buckets in bucket list (or bruteforce bucket name): [S3Scanner](https://github.com/sa7mon/S3Scanner)  
+Search for secrets in public bucket: [BucketLoot](https://github.com/redhuntlabs/BucketLoot)
+
+### Manually connect to S3
+
+To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied"
 
 awscli:
+- `aws configure` - write credentials if you have them   
+otherwise try with [valid S3 account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#cross-account-attacks) without access
+
+- list S3 buckets associated with a profile  
+`aws s3 ls`  
+`aws s3api list-buckets`  
+	`aws --endpoint=http://s3.customDomain.com s3 ls` - to use custom domain
+
+- list files - `aws s3 ls s3://bucket `					  
+	 `--recursive` - list recursively  
+	 `--no-sign-request` - check 'Everyone' permissions  
+	 `--endpoint` - use custom S3 domain
+Additionally:
 ```  
-aws configure
-*написать что либо, в идеале легальный логин и пароль*
-aws --endpoint=http://s3.smth.com s3 ls      		    	# list buckets
-aws --endpoint=http://s3.smth.com s3 ls s3://smth   		# list files
-aws s3 ls s3://whateverbucketname
-aws --endpoint=http://s3.smth.com s3 cp smth s3://smth 		# upload
-aws s3 mv Exploit.txt s3://whateverbucketname/
-aws --endpoint=http://s3.smth.com s3 cp s3://smth 			# download
-aws s3 cp s3://whateverbucketname/secret.txt
+# list content of bucket (with creds)
+aws s3 ls s3://bucket-name
+aws s3api list-objects-v2 --bucket <bucket-name>
+aws s3api list-objects --bucket <bucket-name>
+aws s3api list-object-versions --bucket <bucket-name>
+```  
+ -  upload - `aws s3 cp smth s3://smth`
+![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.memecreator.org%2Fstatic%2Fimages%2Fmemes%2F5211903.jpg&f=1&nofb=1&ipt=4e060c4e534d29fd7ee6d8eef91064b6e86d55b0750a1b8e41b9ab8827cf768d&ipo=images)
+ -  download - `aws s3 cp s3://bucket/secret.txt`
+ -  download whole bucket - `aws s3 sync s3://<bucket>/ .`
+ -  delete - `aws s3 rb s3://bucket-name --force`	
+![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpawelurbanek.com%2Fassets%2Fs3_data_lost-1f25428b7e80c3b337a3c19004370bdca5c2dcc609a438ea5ea684937b20b03a.jpg&f=1&nofb=1&ipt=3243987f15adb705d6975f8f371993819fbba711c4d6a483a5ee3b6d003c79f3&ipo=images)
+
+### Gather info on bucket
+
+
+- Get buckets ACLs:
+```
+aws s3api get-bucket-acl --bucket <bucket-name>
+aws s3api get-object-acl --bucket <bucket-name> --key flag
+```
+- Get policy:
+```
+aws s3api get-bucket-policy --bucket <bucket-name>
+aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public
+
 ```
 
+&nbsp; 
    
-## Resources
+[Additional actions to buckets.](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration)
+
+## Additional resources
+
+ - [S3 may have additional services that may be vulnurable](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#aws-unauthenticated-enum-and-access)
+ - [S3 privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc)
+ - [S3 HTTP Cache Poisoning Issue](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#heading-s3-http-desync-cache-poisoning-issue)
+ - [Check if email have registered AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#used-emails-as-root-account-enumeration)
+ - [Get Account ID from public Bucket](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#get-account-id-from-public-bucket)
+ - [Confirming a bucket belongs to an AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#confirming-a-bucket-belongs-to-an-aws-account)
+ - [How to make persistent account in S3](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence)  
 
- - https://buckets.grayhatwarfare.com, a list with already discovered open buckets.
 
 ## Train
 
@@ -77,8 +144,7 @@ aws s3 cp s3://whateverbucketname/secret.txt
 https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
 https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
 https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
-https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum
+https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access
 https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
-https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#s3-buckets
 https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4
 {{< /source >}}

content/hacking/HowTo_learn_SocialEngineering.md

@@ -1,6 +1,6 @@
 +++
 title = 'HowTo learn Social Engineering'
-date = 2024-09-11
+date = 2024-09-18
 +++
 
 <!-- TODO xkcd meme -->

netlify.toml

@@ -1,4 +0,0 @@
-[[redirects]]
-	from = "/*"
-	to = "/404/"
-	status = 404

themes/anubis2/layouts/404.html

@@ -1,8 +1,108 @@
 {{ define "main"}}
-<main id="main">
-    <div>
-        <h1 id="title"><a href="{{ .Site.BaseURL | relLangURL }}">Go Home</a></h1>
-        Sorry, this Page is not available.
-    </div>
-</main>
+ <main id="main" tabindex="-1"> 
+             
+     
+ 
+     <article class="post h-entry">
+         <div class="post-header">
+             <header>
+                 <h1 class="p-name post-title"><a href="/">Error 404</a></h1>
+                 
+             </header>
+             
+ 
+ 
+ 
+ <meta property="og:url" content="http://localhost:1313/404/">
+   <meta property="og:site_name" content="Casual Blog">
+   <meta property="og:title" content="[Error 404](/)">
+   <meta property="og:description" content="Hi! Sorry but link doesn’t exist yet.
+ It may be still in work or not posted yet.
+ If this link doesn’t work for 1+ weeks, please contact me!">
+   <meta property="og:locale" content="en_us">
+   <meta property="og:type" content="article">
+ 
+ 
+   <meta name="twitter:card" content="summary">
+   <meta name="twitter:title" content="[Error 404](/)">
+   <meta name="twitter:description" content="Hi! Sorry but link doesn’t exist yet.
+ It may be still in work or not posted yet.
+ If this link doesn’t work for 1+ weeks, please contact me!">
+ 
+ 
+ <div class="post-info noselect">
+     
+ 
+     <a class="post-hidden-url u-url" href="http://localhost:1313/404/">http://localhost:1313/404/</a>
+     <a href="http://localhost:1313/" class="p-name p-author post-hidden-author h-card" rel="me">Casual</a>
+ 
+ 
+     <div class="post-taxonomies">
+         
+         
+         
+     </div>
+ </div>
+ 
+         </div>
+          
+  
+ 
+ 
+ 
+ 
+ 
+ <script>
+   document.querySelector(".toc").addEventListener("click", function () {
+     if (event.target.tagName !== "A") {
+       event.preventDefault();
+       if (this.open) {
+         this.open = false;
+         this.classList.remove("expanded");
+       } else {
+         this.open = true;
+         this.classList.add("expanded");
+       }
+     }
+   });
+ </script>
+ 
+         <div class="content e-content">
+             <p>Hi! Sorry but link doesn’t exist yet.</p>
+ <p><img src="https://media1.tenor.com/m/3rAtEcJ09BcAAAAC/cat-loading.gif" alt=""></p>
+ <!-- TODO download, upscale, host here  - https://tenor.com/view/cat-loading-error-gif-19814836-->
+ <p>It may be still in work or not posted yet.</p>
+ <p>If this link doesn’t work for 1+ weeks, please contact me!</p>
+ <!-- &nbsp;   -->
+ <!-- &nbsp;   -->
+ <!--  -->
+ <!-- [Take me home!](/) -->
+ <!-- thanks https://moonbooth.com/hugo/custom-404/ for guide -->
+ 
+         </div>
+ 
+     </article>
+     
+     
+         
+         
+     
+ 
+     
+ 
+     
+         
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+ 
+     
+ 
+         </main>
+
 {{ end }}