+++ title = 'HowTo hack S3' date = 2024-09-25 draft = true +++ TODO ME ## What is S3? ### Abstract S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content. S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3. S3 have "buckets" - container/folder for files. ### Technical Interaction with S3 happens via RESTful API (`aws s3`). Each bucket have its own settings: - Region - each bucket is created in specific AWS region (for performance) - e.g. `https://.s3..amazonaws.com/image.png` - Name - each name should be unique across all AWS regions - Storage class - how fast data can be accessed - Lifecycle management - data can automatically be deleted or transfered to cheaper storage - Versioning - S3 can keep snapshots of data - Logging/monitoring - Access control - the most interesting part for us. S3 have **public** and **private** buckets: - In public bucket - any user can list content - In private bucket - you should have credentials which have access to specific file ## Recon ### Find bucket endpoint 1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) 2. [Spider](/hidden/todo/) site - `katana -js` 3. Search ### Find credentials ## Enumerate Automatically: https://github.com/sa7mon/S3Scanner ## Manually connect to S3 awscli: ``` aws configure *написать что либо, в идеале легальный логин и пароль* aws --endpoint=http://s3.smth.com s3 ls # list buckets aws --endpoint=http://s3.smth.com s3 ls s3://smth # list files aws s3 ls s3://whateverbucketname aws --endpoint=http://s3.smth.com s3 cp smth s3://smth # upload aws s3 mv Exploit.txt s3://whateverbucketname/ aws --endpoint=http://s3.smth.com s3 cp s3://smth # download aws s3 cp s3://whateverbucketname/secret.txt ``` ## Resources - https://buckets.grayhatwarfare.com, a list with already discovered open buckets. ## Train - http://flaws.cloud/ - http://flaws2.cloud/ {{< source >}} https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2 https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#s3-buckets https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4 {{< /source >}}