Casual_blog/content/hacking/HowTo_S3.md
2024-09-03 22:36:04 +03:00

3.0 KiB

+++ title = 'HowTo hack S3' date = 2024-09-25 draft = true +++

TODO ME

What is S3?

Abstract

S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for storing and retrieving large files. E.g. backups, archives, big data analytics, content distribution, and static website content.

S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3.

S3 have "buckets" - container/folder for files.

Technical

Interaction with S3 happens via RESTful API (aws s3).

Each bucket have its own settings:

  • Region - each bucket is created in specific AWS region (for performance) - e.g. https://<bucket-name>.s3.<region>.amazonaws.com/image.png
  • Name - each name should be unique across all AWS regions
  • Storage class - how fast data can be accessed
  • Lifecycle management - data can automatically be deleted or transfered to cheaper storage
  • Versioning - S3 can keep snapshots of data
  • Logging/monitoring
  • Access control - the most interesting part for us. S3 have public and private buckets:
    • In public bucket - any user can list content
    • In private bucket - you should have credentials which have access to specific file

Recon

Find bucket endpoint

  1. Try Wappalyzer
  2. Spider site - katana -js
  3. Search

Find credentials

Enumerate

Automatically: https://github.com/sa7mon/S3Scanner

Manually connect to S3

awscli:

aws configure
*написать что либо, в идеале легальный логин и пароль*
aws --endpoint=http://s3.smth.com s3 ls      		    	# list buckets
aws --endpoint=http://s3.smth.com s3 ls s3://smth   		# list files
aws s3 ls s3://whateverbucketname
aws --endpoint=http://s3.smth.com s3 cp smth s3://smth 		# upload
aws s3 mv Exploit.txt s3://whateverbucketname/
aws --endpoint=http://s3.smth.com s3 cp s3://smth 			# download
aws s3 cp s3://whateverbucketname/secret.txt

Resources

Train

{{< source >}} https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2 https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#s3-buckets https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4 {{< /source >}}