AWS S3 Enumeration Basics

ShiNobiXShiNobiX
2 min read

Table of contents

Attack Story

It's your first day on the red team, and you've been tasked with examining a website that was found in a phished employee's bookmarks. Check it out and see where it leads! In scope is the company's infrastructure, including cloud services.

Context

Amazon S3 (Simple Storage Service) is a very popular (and the second oldest!) AWS service that is used to store files and backups, and can even be used to serve websites. This multi-use functionality has led some to argue that this service would be more secure if it were split into separate public web hosting and private file storage services. In recent years AWS have introduced more visual warnings when customers are making buckets world-readable, but still, if this setting is available, people will set it! Misconfiguration’s and overly permissive settings in S3 have resulted in many data breaches over the years.

Incident

Initial Discovery via Open S3 Endpoint

started enumeration with a known S3 URL curl https://s3.amazonaws.com/dev.huge-logistics.com

This confirmed that the S3 bucket dev.huge-logistics.com existed and was publicly accessible.

Scraping Links from Bucket Index Page

curl -s https://s3.amazonaws.com/dev.huge-logistics.com | grep -oE '(http|https:)//[^"]+'

Examined a JavaScript file for any hard coded secrets, endpoints, or clues:

curl -i https://s3.amazonaws.com/dev.huge-logistics.com/static/script.js

Listing Bucket Contents Without Credentials

aws s3 ls s3://dev.huge-logistics.com/ --no-sign-request

Discovered the directories

Deep-Dive into all the directory along with 'shared/' Directory and found a zip file. & downloaded as that seems contain some info aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request

Unzipped and saw within the .ps1 file, the following sensitive data was discovered:

Configure the AWS CLI with Stolen Credentials

Profile configured based on the above info that was stole and confirm

aws configure --profile S4
aws sts get-caller-identity --profile s4

When tried to explore directory and tried with the directory admin , found the flag however, that was unable to download

Further checked all the folder's and downloaded those files. However, the download was not success.

To download successfully used cp and checked the xml and found multiple cred's `aws s3 cp s3://dev.huge-logistics.com/migration-files/test-export.xml

Now, as we see there is a new AWS cred we use that one to login to get the higher prev to download the Flag file.

Created a new profile with s5 using new ID

_______________________________________________________________________________________________________________Thanks

0
Subscribe to my newsletter

Read articles from ShiNobiX directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#enumerationAWSS3-bucket

Written by

ShiNobiX
ShiNobiX