Casual_blog/content/hacking/HowTo_S3.md
2024-09-04 02:24:52 +03:00

151 lines
6.9 KiB
Markdown

+++
title = 'HowTo Hack S3'
date = 2024-09-04
+++
## What is S3?
### Abstract
S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content.
S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers:
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
S3 have "buckets" - container/folder for files.
### Technical
Interaction with S3 happens via RESTful API (via `awscli`).
Each bucket have its own settings:
- Region - each bucket is created in specific AWS region (for performance) -
e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`
or (depricated) `https://s3.amazonaws.com/[region]/[bucket_name]/`
or "dual-stack" (with IPv6 address):
`bucketname.s3.dualstack.aws-region.amazonaws.com`
`s3.dualstack.aws-region.amazonaws.com/bucketname`
- Name - each name should be unique across all AWS regions
- Versioning - S3 can keep snapshots of data
- Logging/monitoring - disabled by default
- Access control - the most interesting part for us. S3 have **public** and **private** buckets:
- In public (or open) bucket - any user can list content
- In private bucket - you should have credentials which have access to specific file
<!-- - Storage class - how fast data can be accessed -->
<!-- - Lifecycle management - data can automatically be deleted or transfered to cheaper storage -->
## Recon
### Find bucket endpoint
<!-- 1. Try [Wappalyzer](https://www.wappalyzer.com/apps/) -->
1. [Crawl](/hacking/howto_crawl/) site - `katana -js -u SITE`
1. Search in crawl results `.*s3.*amazonaws.com`
1. Check for CNAMEs for domains in crawl results `resources.domain.com -> bucket.s3.amazonaws.com`
1. Check [list of discovered buckets](https://buckets.grayhatwarfare.com), it may have your bucket.
1. [Bruteforce bucket name](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#brute-force) by [creating custom wordlist](http://localhost:1313/hacking/howto_customize_wordlist/) per domain
### Find credentials
We will try to find S3 bucket credentials with OSINT.
1. Use Google Dorks
1. Check git public repos of company
1. Check git repos of employees
If you have access to Google Custom Search Engine:
- https://github.com/carlospolop/gorks
- https://github.com/carlospolop/pastos
and check https://github.com/carlospolop/leakos
## Enumerate
### Automatically
Find public buckets in bucket list (or bruteforce bucket name): [S3Scanner](https://github.com/sa7mon/S3Scanner)
Search for secrets in public bucket: [BucketLoot](https://github.com/redhuntlabs/BucketLoot)
### Manually connect to S3
To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied"
awscli:
- `aws configure` - write credentials if you have them
otherwise try with [valid S3 account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#cross-account-attacks) without access
- list S3 buckets associated with a profile
`aws s3 ls`
`aws s3api list-buckets`
`aws --endpoint=http://s3.customDomain.com s3 ls` - to use custom domain
- list files - `aws s3 ls s3://bucket `
`--recursive` - list recursively
`--no-sign-request` - check 'Everyone' permissions
`--endpoint` - use custom S3 domain
Additionally:
```
# list content of bucket (with creds)
aws s3 ls s3://bucket-name
aws s3api list-objects-v2 --bucket <bucket-name>
aws s3api list-objects --bucket <bucket-name>
aws s3api list-object-versions --bucket <bucket-name>
```
- upload - `aws s3 cp smth s3://smth`
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fwww.memecreator.org%2Fstatic%2Fimages%2Fmemes%2F5211903.jpg&f=1&nofb=1&ipt=4e060c4e534d29fd7ee6d8eef91064b6e86d55b0750a1b8e41b9ab8827cf768d&ipo=images)
- download - `aws s3 cp s3://bucket/secret.txt`
- download whole bucket - `aws s3 sync s3://<bucket>/ .`
- delete - `aws s3 rb s3://bucket-name --force`
![](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fpawelurbanek.com%2Fassets%2Fs3_data_lost-1f25428b7e80c3b337a3c19004370bdca5c2dcc609a438ea5ea684937b20b03a.jpg&f=1&nofb=1&ipt=3243987f15adb705d6975f8f371993819fbba711c4d6a483a5ee3b6d003c79f3&ipo=images)
### Gather info on bucket
- Get buckets ACLs:
```
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api get-object-acl --bucket <bucket-name> --key flag
```
- Get policy:
```
aws s3api get-bucket-policy --bucket <bucket-name>
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public
```
&nbsp;
[Additional actions to buckets.](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#enumeration)
## Additional resources
- [S3 may have additional services that may be vulnurable](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#aws-unauthenticated-enum-and-access)
- [S3 privesc](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-privilege-escalation/aws-s3-privesc)
- [S3 HTTP Cache Poisoning Issue](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum#heading-s3-http-desync-cache-poisoning-issue)
- [Check if email have registered AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#used-emails-as-root-account-enumeration)
- [Get Account ID from public Bucket](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#get-account-id-from-public-bucket)
- [Confirming a bucket belongs to an AWS account](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum#confirming-a-bucket-belongs-to-an-aws-account)
- [How to make persistent account in S3](https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence)
## Train
- http://flaws.cloud/
- http://flaws2.cloud/
{{< source >}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4
{{< /source >}}