Hello friends,
Recently I came across S3 Bucket Misconfiguration vulnerability on one of the private program. I saw many write-ups on how to exploit it but none of them was from Basics. So i thought why not to write a post on it from basic for the new comers of the community. I am trying my best to explore as much as I can.
PS: This post is for noobs like me who are not able to get how exactly to exploit misconfigured S3 Bucket. Leets please ignore the post. And this is the way by which I was able to takeover the misconfigured s3 bucket, yours might be changed.
So this post contains the following topics:
- Introduction
- How to find S3 Buckets
- Step by Step Guide to Takeover misconfigured S3 Bucket
Introduction:
What is AWS?
AWS stands for Amazon Web Services which is a secure cloud services platform, offering compute power, database storage, content delivery and other functionalities.
What is Amazon S3?
Amazon S3 stands for Amazon Simple Storage Service which is an object storage service that offers industry-leading scalability, data availability, security, and performance.
How to find S3 Buckets:
You can use many online tools which are available on GitHub to find S3 bucket of a website. I would like to list down few of them:
Lazy S3
bucket_finder
AWS Cred Scanner
sandcastle
Mass3
Dumpster Diver
S3 Bucket Finder
S3Scanner
and many more…
Step by Step Guide to Takeover misconfigured S3 Bucket:
This consists of many parts:
I) Finding S3 Bucket
To find S3 bucket of the program, I used nahamsec‘s lazys3.
Command: ruby lazys3.rb site_name
The output of lazys3 comes with a S3 bucket.
http://[bucketname].s3.amazonaws.com/
II) S3 bucket identification
We can interact with the bucket with following kind of URL
http://[bucketname].s3.amazonaws.com/
Moreover, if the bucket has the property “Static website hosting”, it provides access to static HTML pages via the following URL:
http://[bucketname].s3-website-[region].amazonaws.com/
III) Installing AWS Command Line Interface
Now we have to install aws-cli (I prefer to use Kali Linux)
Command: pip install awscli
After installing, check whether it is perfectly installed or not.
Command: aws --version
IV) Making an Amazon AWS Account
For that make an account here and Fill the details and Sign in to the console
V) Getting Access Keys
After signing in, Go to https://console.aws.amazon.com/iam/ and click on Users
Add a new user
Now download CSV file and you will find your access keys.
VI) Configuring the AWS CLI
Go to your kali terminal and type
Now you are good to go.
VII) Checking for vulnerable S3 Bucket
Command: aws s3 ls s3://[bucketname]
Sometimes, you got this error so better to use this command.
Command: aws s3 ls s3://[bucketname] --no-sign-request
okay we are on right track.
Now there are few commands/operations you can try on it.
Read File: aws s3 ls s3://[bucketname] --no-sign-requestMove File: aws s3 mv yourfile s3://[bucketname]/test-file.txt --no-sign-requestCopy Files : aws s3 cp yourfile s3://[bucketname]/test-file.svg --no-sign-request
Delete Files : aws s3 rm s3://[bucketname]/test-file.svg --no-sign-request
So that’s all.
Some Reference Posts you may like to refer:
https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/?utm_source=blog&utm_campaign=s3_buckets
https://medium.com/bugbountywriteup/how-i-pwned-a-million-dollar-company-9fa5bfd234dd
Good bye and if you have any question, you can ask me on Twitter/Facebook. I will try to reply all of your messages asap
