HowTo Hack S3
Table of Contents
#
What is S3?
##
Abstract
S3 (Amazon Simple Storage Service) - object storage. You can think of it as cloud storage but designed for storing and retrieving large files. E.g. backups, archives, big data analytics, content distribution, and static website content.
S3 can be selfhosted (but you probably shouldn’t do it). In other cases, company probably will use Amazon’s S3 or one of those providers:
- DigitalOcean
- DreamHost
- GCP
- Linode
- Scaleway
S3 have “buckets” - container/folder for files.
##
Technical
Interaction with S3 happens via RESTful API (via awscli
).
Each bucket have its own settings:
- Region - each bucket is created in specific AWS region (for performance) -
e.g.
https://<bucket-name>.s3.<region>.amazonaws.com/image.png
or (depricated)https://s3.amazonaws.com/[region]/[bucket_name]/
or “dual-stack” (with IPv6 address):
bucketname.s3.dualstack.aws-region.amazonaws.com
s3.dualstack.aws-region.amazonaws.com/bucketname
- Name - each name should be unique across all AWS regions
- Versioning - S3 can keep snapshots of data
- Logging/monitoring - disabled by default
- Access control - the most interesting part for us. S3 have public and private buckets:
- In public (or open) bucket - any user can list content
- In private bucket - you should have credentials which have access to specific file
#
Recon
##
Find bucket endpoint
- Crawl site -
katana -js -u SITE
- Search in crawl results
.*s3.*amazonaws.com
- Check for CNAMEs for domains in crawl results
resources.domain.com -> bucket.s3.amazonaws.com
- Check list of discovered buckets, it may have your bucket.
- Bruteforce bucket name by creating custom wordlist per domain
##
Find credentials
We will try to find S3 bucket credentials with OSINT.
- Use Google Dorks
- Check git public repos of company
- Check git repos of employees
If you have access to Google Custom Search Engine:
and check https://github.com/carlospolop/leakos
#
Enumerate
##
Automatically
Find public buckets in bucket list (or bruteforce bucket name): S3Scanner
Search for secrets in public bucket: BucketLoot
##
Manually connect to S3
To check if bucket is public - you can just open bucket link in browser, it will list first 1000 objects in it. Otherwise you will get “AccessDenied”
awscli:
-
aws configure
- write credentials if you have them
otherwise try with valid S3 account without access -
list S3 buckets associated with a profile
aws s3 ls
aws s3api list-buckets
aws --endpoint=http://s3.customDomain.com s3 ls
- to use custom domain -
list files -
aws s3 ls s3://bucket
--recursive
- list recursively
--no-sign-request
- check ‘Everyone’ permissions
--endpoint
- use custom S3 domain Additionally:
# list content of bucket (with creds)
aws s3 ls s3://bucket-name
aws s3api list-objects-v2 --bucket <bucket-name>
aws s3api list-objects --bucket <bucket-name>
aws s3api list-object-versions --bucket <bucket-name>
- upload -
aws s3 cp smth s3://smth
- download -
aws s3 cp s3://bucket/secret.txt
- download whole bucket -
aws s3 sync s3://<bucket>/ .
- delete -
aws s3 rb s3://bucket-name --force
##
Gather info on bucket
- Get buckets ACLs:
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api get-object-acl --bucket <bucket-name> --key flag
- Get policy:
aws s3api get-bucket-policy --bucket <bucket-name>
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public
Additional actions to buckets.
#
Additional resources
- S3 may have additional services that may be vulnurable
- S3 privesc
- S3 HTTP Cache Poisoning Issue
- Check if email have registered AWS account
- Get Account ID from public Bucket
- Confirming a bucket belongs to an AWS account
- How to make persistent account in S3
#
Train
Sources
- https://book.hacktricks.xyz/generic-methodologies-and-resources/external-recon-methodology#looking-for-vulnerabilities-2
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-persistence/aws-s3-persistence
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-services/aws-s3-athena-and-glacier-enum
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access
- https://cloud.hacktricks.xyz/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-s3-unauthenticated-enum
- https://freedium.cfd/https//medium.com/m/global-identity-2?redirectUrl=https%3A%2F%2Finfosecwriteups.com%2Ffinding-and-exploiting-s3-amazon-buckets-for-bug-bounties-6b782872a6c4