Casual_blog/content/hacking/HowTo_S3.md
2024-09-04 02:24:52 +03:00

6.9 KiB

+++ title = 'HowTo Hack S3' date = 2024-09-04 +++

What is S3?

Abstract

S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for storing and retrieving large files. E.g. backups, archives, big data analytics, content distribution, and static website content.

S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3 or one of those providers:

  • DigitalOcean
  • DreamHost
  • GCP
  • Linode
  • Scaleway

S3 have "buckets" - container/folder for files.

Technical

Interaction with S3 happens via RESTful API (via awscli).

Each bucket have its own settings:

  • Region - each bucket is created in specific AWS region (for performance) - e.g. https://<bucket-name>.s3.<region>.amazonaws.com/image.png
    or (depricated) https://s3.amazonaws.com/[region]/[bucket_name]/
    or "dual-stack" (with IPv6 address):
    bucketname.s3.dualstack.aws-region.amazonaws.com
    s3.dualstack.aws-region.amazonaws.com/bucketname
  • Name - each name should be unique across all AWS regions
  • Versioning - S3 can keep snapshots of data
  • Logging/monitoring - disabled by default
  • Access control - the most interesting part for us. S3 have public and private buckets:
    • In public (or open) bucket - any user can list content
    • In private bucket - you should have credentials which have access to specific file

Recon

Find bucket endpoint

  1. Crawl site - katana -js -u SITE
  2. Search in crawl results .*s3.*amazonaws.com
  3. Check for CNAMEs for domains in crawl results resources.domain.com -> bucket.s3.amazonaws.com
  4. Check list of discovered buckets, it may have your bucket.
  5. Bruteforce bucket name by creating custom wordlist per domain

Find credentials

We will try to find S3 bucket credentials with OSINT.

  1. Use Google Dorks
  2. Check git public repos of company
  3. Check git repos of employees

If you have access to Google Custom Search Engine:

and check https://github.com/carlospolop/leakos

Enumerate

Automatically

Find public buckets in bucket list (or bruteforce bucket name): S3Scanner
Search for secrets in public bucket: BucketLoot

Manually connect to S3

To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get "AccessDenied"

awscli:

  • aws configure - write credentials if you have them
    otherwise try with valid S3 account without access

  • list S3 buckets associated with a profile
    aws s3 ls
    aws s3api list-buckets
    aws --endpoint=http://s3.customDomain.com s3 ls - to use custom domain

  • list files - aws s3 ls s3://bucket
    --recursive - list recursively
    --no-sign-request - check 'Everyone' permissions
    --endpoint - use custom S3 domain Additionally:

# list content of bucket (with creds)
aws s3 ls s3://bucket-name
aws s3api list-objects-v2 --bucket <bucket-name>
aws s3api list-objects --bucket <bucket-name>
aws s3api list-object-versions --bucket <bucket-name>
  • upload - aws s3 cp smth s3://smth
  • download - aws s3 cp s3://bucket/secret.txt
  • download whole bucket - aws s3 sync s3://<bucket>/ .
  • delete - aws s3 rb s3://bucket-name --force

Gather info on bucket

  • Get buckets ACLs:
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api get-object-acl --bucket <bucket-name> --key flag
  • Get policy:
aws s3api get-bucket-policy --bucket <bucket-name>
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public

 

Additional actions to buckets.

Additional resources

Train

{{< source >}} https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2 https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4 {{< /source >}}