85 lines
3.0 KiB
Markdown
85 lines
3.0 KiB
Markdown
+++
|
|
title = 'HowTo hack S3'
|
|
date = 2024-09-25
|
|
draft = true
|
|
+++
|
|
|
|
TODO ME
|
|
|
|
## What is S3?
|
|
|
|
### Abstract
|
|
|
|
S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content.
|
|
|
|
S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3.
|
|
|
|
S3 have "buckets" - container/folder for files.
|
|
|
|
### Technical
|
|
|
|
Interaction with S3 happens via RESTful API (`aws s3`).
|
|
|
|
Each bucket have its own settings:
|
|
- Region - each bucket is created in specific AWS region (for performance) - e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`
|
|
- Name - each name should be unique across all AWS regions
|
|
- Storage class - how fast data can be accessed
|
|
- Lifecycle management - data can automatically be deleted or transfered to cheaper storage
|
|
- Versioning - S3 can keep snapshots of data
|
|
- Logging/monitoring
|
|
- Access control - the most interesting part for us. S3 have **public** and **private** buckets:
|
|
- In public bucket - any user can list content
|
|
- In private bucket - you should have credentials which have access to specific file
|
|
|
|
|
|
## Recon
|
|
|
|
### Find bucket endpoint
|
|
|
|
1. Try [Wappalyzer](https://www.wappalyzer.com/apps/)
|
|
2. [Spider](/hidden/todo/) site - `katana -js`
|
|
3. Search
|
|
|
|
### Find credentials
|
|
|
|
## Enumerate
|
|
|
|
Automatically:
|
|
https://github.com/sa7mon/S3Scanner
|
|
|
|
## Manually connect to S3
|
|
|
|
awscli:
|
|
```
|
|
aws configure
|
|
*написать что либо, в идеале легальный логин и пароль*
|
|
aws --endpoint=http://s3.smth.com s3 ls # list buckets
|
|
aws --endpoint=http://s3.smth.com s3 ls s3://smth # list files
|
|
aws s3 ls s3://whateverbucketname
|
|
aws --endpoint=http://s3.smth.com s3 cp smth s3://smth # upload
|
|
aws s3 mv Exploit.txt s3://whateverbucketname/
|
|
aws --endpoint=http://s3.smth.com s3 cp s3://smth # download
|
|
aws s3 cp s3://whateverbucketname/secret.txt
|
|
```
|
|
|
|
|
|
## Resources
|
|
|
|
- https://buckets.grayhatwarfare.com, a list with already discovered open buckets.
|
|
|
|
## Train
|
|
|
|
- http://flaws.cloud/
|
|
|
|
- http://flaws2.cloud/
|
|
|
|
{{< source >}}
|
|
https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
|
|
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#s3-buckets
|
|
https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4
|
|
{{< /source >}}
|