Hacking AWS S3 bucket








Hi Guys,

 So, It’s been a while since I’ve blogged last time. It’s because I’m busy with my work, let's get into the field.
Now, before proceeding further onto this, we must know about AWS and its use. 
Amazon Simple Storage Service is storage for the Internet. Amazon S3 has a simple web services interface that you can use to store and retrieve any amount of data, at any time, from anywhere on the web. You will get free subscription to your AWS account for a year when you register for the first time.

 before you apply your hacking skills on any website, you must know about the technology in which the application is built, for that you can choose server and framework fingerprinting or simple nmap or netcat scan.

For privacy concern, I’m not gonna disclose the site name which I hacked AWS S3 bucket. So, let’s call it as examplesite.com.  I was crawling the site. Started with robots.txt ‘www.examplesite.com/robots.txt’ (in case if you don’t know what’s robots.txt, have a look at this documentation I was like looking at the website like below pic and questioning to myself about my existence. haha it was quite hard to get into.

But, Initially, i was thinking that they’d have used any CMS to develop their site. But, It took 30 minutes to realize I was a fool even if I knew it already!. from one of the HTTP response Header,  i came to know that they have used AWS for storage. after 30 min of disappointment
was reading whatever they’ve mentioned on their site and then checked their source code for the sake to feel like a hacker at least,
 For security concerns, they had hosted their files in Amazon S3 Bucket!

There’s this famous quote “Know your enemy more than he does himself” and the below thing is an example for it and it’s same when you try to hack something! xD

Now, came to the conclusion that they save their documents and files in AWS Cloud Server! But, I wasn’t sure of their AWS s3 bucket link.

Amazon S3 is cloud storage for the Internet. To upload your data (photos, videos, documents, etc.), you first create a bucket in one of the AWS Regions. You can then upload any number of objects to the bucket and every file would be having a unique link and then they’re delivered through Amazon CDN. Also, you can create up to 100 buckets per account. Each bucket can contain an unlimited number of files. Buckets cannot be nested, you can not create a bucket within a bucket. In addition, These days many websites using Amazon services!

Then googled for a couple of hours and ended up finding a script called ‘Bucket Finder’ which is written in ruby!

Script and installation manual Link: https://digi.ninja/projects/bucket_finder.php

So, what this bucket finder actually does? as per the creator says!

This is a fairly simple tool to run, all it requires is a wordlist and it will go off and check each word to see if that bucket name exists in Amazon’s S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect.

Public buckets are checked for directory indexing is enabled, if it is then all files listed will be checked using HEAD to see if they are public or private. Redirects are followed and the final destination checked. All this is reported on so you can later go through and analyze what has been found.

Then I went ahead and typed all the name that’s related to this company which I wanted to hack and made a list as follows to feed that with bucket finder script.


So, now we have a guess list and the script, now execute it as follows!

./bucket_finder.rb site_name

and this was the output of it.
Now, you gotta find a way to hack those buckets! To hack such buckets it has to be a misconfigured bucket. So, how to find it?
The output of bucket_finder was something like,

Bucket redirects to example site.com redirects to examplesite.s3.amazonaws.com

 then go to the path of the bucket_finder folder then type below commands.

./bucket_finder.rb --download  mywords.txt
The files are downloaded into a folder with the bucket name and then the appropriate structure from the bucket.
You can download the bucket fider from here.

I was able to download all the production, staging and development environment data stored in the AWS s3 bucket as shown below.



The main reason for this vulnerability is not properly configuring access control list (ACL) of s3 Bucket. which they set it as "public" instead of setting for "private" users.

 If you are lucky enough you can include your own data on the storage of victim account without being identified to the website owner. for that, you will be required to create one AWS account and download client-side CLI. You’ll have to configure the amazon aws-client with an access key (Assuming you already have an account in amazon s3) and you can find yours in the below link.


 check this one
If you find the same in any bug bounty program you will get a reward worth around $2500. which is sufficient enough for doing party with your friends for a whole month.😂😂.

That's enough for this time. contact me if you have any queries or discussion regarding this exploitation. I will help you guys with more details.

 Hope you love reading it and learned something! :) Bhai Bhai bhai!

  "Happy Hacking"

All my featured blogs will be available at https://anilcy.blogspot.com/.

linked in :- https://in.linkedin.com/in/anilkumar-jamadar-640966130
instagram:- https://www.instagram.com/Jamadar__anil/
twitter:- https://twitter.com/Anilkum67752266

Advice for beginners! please, don’t ask someone for a particular blog to read because the knowledge would be very narrow as that comes from a single person.

Disclaimer

The Blog Content has been made available for informational and educational purposes only.I, hereby disclaims any and all liability to any party for any direct, indirect, implied, punitive, special, incidental or other consequential damages arising directly or indirectly from any use of the Blog Content is solely responsible by the readers.

Comments

Post a Comment

Popular posts from this blog

File Upload Security Testing Checklists

  Security Checklist Are filenames reflected back on the page? If so, are they HTML Entity encoded (XSS via file names)? Does it accept .zip files? Try a  ZipSlip If it processes an image, check for  Image Tragick (CVE-2016-3714) Can you bypass file type restrictions by changing the content-type value? Can you bypass file type restrictions by  forging valid magic bytes ? Can you upload a file with a less-common extension (such as .phtml)? Try playing with the filename in the request, a potential vector for traversal or SQL injection. Check for the acceptance of double extensions on uploaded files. Test for  null-byte injection . Is the server windows? Try adding a  trailing  .  to bypass extension blacklists , this dot will be removed automatically by the OS. Can you upload an  SVG for XSS ? If supported by the webserver, can you  upload .htaccess files ? Does the backend process the image with the  PHP GD library ? Is the app vulnerable to the  infamous ffmpeg exploit ? Can custom pol
Read more

SAML Security Test Cases

Signature Exclusion Attack -Test whether or not the SP accepts an Assertion without a Signature  Signature Spoofing attack -Test whether SP accepts fake signature or using previously generated/invalid signature Signature Wrapping Attack (8 Different Ways)-Test whether or not the SP is susceptible to Signature Wrapping XML Injection -Test if can inject malicious code into the SAML response from IDP, allowing them to execute arbitrary code on the SP server. XML Entity Expansion (XEE)/XXE -Test whether or not the SP is vulnerable to XML External Entities Replay attacks -Test if previously generated SAML response from IDP can be accepted by SP Certificate Faking/Self signed certificate -Test whether or not the SP verifies that the Assertion came from a trusted IDP/Test if SP accepts self-signed certificate XSLT Injection -Test whether or not the SP is vulnerable to XSLT Predictable signature -Test whether IDP generating guessable signature SAML message expiration -Test whether SP accepts
Read more

Drozer - A Framework for Android Application Security Assessment.

Image
1.             Introduction 1.1   This document explains how to get started with Drozer, and how to use it to perform a security assessment of an android application. 1.1.      Drozer Drozer is a python based comprehensive security audit and attack framework for Android. It is an open-source framework, used for android pen-testing. It works like a client-server model and makes use of Android’s Inter-Process Communication (IPC) mechanism to interact with the underlying operating system of the device. IPC is a mechanism by which different components of android like intents and data binders communicate with each other so that the communication is established between the apps present in the android device. Drozer helps to remotely exploit android devices with predefined and custom modules that exploit known vulnerabilities. 1.2.      Conventions used Throughout this document, command-line examples will use one of two prefixes: dz> indicates that the command shou
Read more