Casual_blog/content/hacking/HowTo_S3.md
2024-09-03 22:36:04 +03:00

85 lines
3.0 KiB
Markdown

+++
title = 'HowTo hack S3'
date = 2024-09-25
draft = true
+++
TODO ME
## What is S3?
### Abstract
S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for **storing and retrieving large files**. E.g. backups, archives, big data analytics, content distribution, and static website content.
S3 can be selfhosted (but you probably shouldn't do it). In other cases, company probably will use Amazon's S3.
S3 have "buckets" - container/folder for files.
### Technical
Interaction with S3 happens via RESTful API (`aws s3`).
Each bucket have its own settings:
- Region - each bucket is created in specific AWS region (for performance) - e.g. `https://<bucket-name>.s3.<region>.amazonaws.com/image.png`
- Name - each name should be unique across all AWS regions
- Storage class - how fast data can be accessed
- Lifecycle management - data can automatically be deleted or transfered to cheaper storage
- Versioning - S3 can keep snapshots of data
- Logging/monitoring
- Access control - the most interesting part for us. S3 have **public** and **private** buckets:
- In public bucket - any user can list content
- In private bucket - you should have credentials which have access to specific file
## Recon
### Find bucket endpoint
1. Try [Wappalyzer](https://www.wappalyzer.com/apps/)
2. [Spider](/hidden/todo/) site - `katana -js`
3. Search
### Find credentials
## Enumerate
Automatically:
https://github.com/sa7mon/S3Scanner
## Manually connect to S3
awscli:
```
aws configure
*написать что либо, в идеале легальный логин и пароль*
aws --endpoint=http://s3.smth.com s3 ls # list buckets
aws --endpoint=http://s3.smth.com s3 ls s3://smth # list files
aws s3 ls s3://whateverbucketname
aws --endpoint=http://s3.smth.com s3 cp smth s3://smth # upload
aws s3 mv Exploit.txt s3://whateverbucketname/
aws --endpoint=http://s3.smth.com s3 cp s3://smth # download
aws s3 cp s3://whateverbucketname/secret.txt
```
## Resources
- https://buckets.grayhatwarfare.com, a list with already discovered open buckets.
## Train
- http://flaws.cloud/
- http://flaws2.cloud/
{{< source >}}
https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-msk-unauthenticated-enum
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access#s3-buckets
https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4
{{< /source >}}