151 lines
6.9 KiB
Markdown
151 lines
6.9 KiB
Markdown
+++
|
|
title = 'HowTo Hack S3'
|
|
date = 2024-09-04
|
|
+++
|
|
|
|
|
|
## What is S3?
|
|
|
|
### Abstract
|
|
|
|
S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content.
|
|
|
|
S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers:
|
|
- DigitalOcean
|
|
- DreamHost
|
|
- GCP
|
|
- Linode
|
|
- Scaleway
|
|
|
|
S3 have "buckets" - container/folder for files.
|
|
|
|
### Technical
|
|
|
|
Interaction with S3 happens via RESTful API (via `awscli`).
|
|
|
|
Each bucket have its own settings:
|
|
- Region - each bucket is created in specific AWS region (for performance) -
|
|
e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`
|
|
or (depricated) `https://s3.amazonaws.com/[region]/[bucket_name]/`
|
|
or "dual-stack" (with IPv6 address):
|
|
`bucketname.s3.dualstack.aws-region.amazonaws.com`
|
|
`s3.dualstack.aws-region.amazonaws.com/bucketname`
|
|
- Name - each name should be unique across all AWS regions
|
|
- Versioning - S3 can keep snapshots of data
|
|
- Logging/monitoring - disabled by default
|
|
- Access control - the most interesting part for us. S3 have **public** and **private** buckets:
|
|
- In public (or open) bucket - any user can list content
|
|
- In private bucket - you should have credentials which have access to specific file
|
|
<!-- - Storage class - how fast data can be accessed -->
|
|
<!-- - Lifecycle management - data can automatically be deleted or transfered to cheaper storage -->
|
|
|
|
## Recon
|
|
|
|
### Find bucket endpoint
|
|
|
|
<!-- 1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) -->
|
|
1. [Crawl](/hacking/howto_crawl/) site - `katana -js -u SITE`
|
|
1. Search in crawl results `.*s3.*amazonaws.com`
|
|
1. Check for CNAMEs for domains in crawl results `resources.domain.com -> bucket.s3.amazonaws.com`
|
|
1. Check [list of discovered buckets](https://buckets.grayhatwarfare.com), it may have your bucket.
|
|
1. [Bruteforce bucket name](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#brute-force) by [creating custom wordlist](http://localhost:1313/hacking/howto_customize_wordlist/) per domain
|
|
|
|
|
|
### Find credentials
|
|
|
|
We will try to find S3 bucket credentials with OSINT.
|
|
|
|
1. Use Google Dorks
|
|
1. Check git public repos of company
|
|
1. Check git repos of employees
|
|
|
|
If you have access to Google Custom Search Engine:
|
|
- https://github.com/carlospolop/gorks
|
|
- https://github.com/carlospolop/pastos
|
|
|
|
and check https://github.com/carlospolop/leakos
|
|
|
|
## Enumerate
|
|
|
|
### Automatically
|
|
|
|
Find public buckets in bucket list (or bruteforce bucket name): [S3Scanner](https://github.com/sa7mon/S3Scanner)
|
|
Search for secrets in public bucket: [BucketLoot](https://github.com/redhuntlabs/BucketLoot)
|
|
|
|
### Manually connect to S3
|
|
|
|
To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied"
|
|
|
|
awscli:
|
|
- `aws configure` - write credentials if you have them
|
|
otherwise try with [valid S3 account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#cross-account-attacks) without access
|
|
|
|
- list S3 buckets associated with a profile
|
|
`aws s3 ls`
|
|
`aws s3api list-buckets`
|
|
`aws --endpoint=http://s3.customDomain.com s3 ls` - to use custom domain
|
|
|
|
- list files - `aws s3 ls s3://bucket `
|
|
`--recursive` - list recursively
|
|
`--no-sign-request` - check 'Everyone' permissions
|
|
`--endpoint` - use custom S3 domain
|
|
Additionally:
|
|
```
|
|
# list content of bucket (with creds)
|
|
aws s3 ls s3://bucket-name
|
|
aws s3api list-objects-v2 --bucket <bucket-name>
|
|
aws s3api list-objects --bucket <bucket-name>
|
|
aws s3api list-object-versions --bucket <bucket-name>
|
|
```
|
|
- upload - `aws s3 cp smth s3://smth`
|
|
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.memecreator.org%2Fstatic%2Fimages%2Fmemes%2F5211903.jpg&f=1&nofb=1&ipt=4e060c4e534d29fd7ee6d8eef91064b6e86d55b0750a1b8e41b9ab8827cf768d&ipo=images)
|
|
- download - `aws s3 cp s3://bucket/secret.txt`
|
|
- download whole bucket - `aws s3 sync s3://<bucket>/ .`
|
|
- delete - `aws s3 rb s3://bucket-name --force`
|
|
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpawelurbanek.com%2Fassets%2Fs3_data_lost-1f25428b7e80c3b337a3c19004370bdca5c2dcc609a438ea5ea684937b20b03a.jpg&f=1&nofb=1&ipt=3243987f15adb705d6975f8f371993819fbba711c4d6a483a5ee3b6d003c79f3&ipo=images)
|
|
|
|
### Gather info on bucket
|
|
|
|
|
|
- Get buckets ACLs:
|
|
```
|
|
aws s3api get-bucket-acl --bucket <bucket-name>
|
|
aws s3api get-object-acl --bucket <bucket-name> --key flag
|
|
```
|
|
- Get policy:
|
|
```
|
|
aws s3api get-bucket-policy --bucket <bucket-name>
|
|
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public
|
|
|
|
```
|
|
|
|
|
|
|
|
[Additional actions to buckets.](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration)
|
|
|
|
## Additional resources
|
|
|
|
- [S3 may have additional services that may be vulnurable](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#aws-unauthenticated-enum-and-access)
|
|
- [S3 privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc)
|
|
- [S3 HTTP Cache Poisoning Issue](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#heading-s3-http-desync-cache-poisoning-issue)
|
|
- [Check if email have registered AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#used-emails-as-root-account-enumeration)
|
|
- [Get Account ID from public Bucket](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#get-account-id-from-public-bucket)
|
|
- [Confirming a bucket belongs to an AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#confirming-a-bucket-belongs-to-an-aws-account)
|
|
- [How to make persistent account in S3](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence)
|
|
|
|
|
|
## Train
|
|
|
|
- http://flaws.cloud/
|
|
|
|
- http://flaws2.cloud/
|
|
|
|
{{< source >}}
|
|
https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
|
|
https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4
|
|
{{< /source >}}
|