Reference:

• https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-storage/

• Practise CTF : Link

• Hacktricks : Link

AWS Configuration

#Install AWS CLI
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip awscliv2.zip
sudo ./aws/install

#Configure 
aws configure --profile <PROFILE_NAME>
AWSAccessKeyId=[ENTER HERE YOUR KEY]
AWSSecretKey=[ENTER HERE YOUR KEY]

Theory

• There are 2 ways to access a bucket:

  • Bucket: http://bucketname.s3.amazonaws.com

  • Static Website: All S3 buckets, when configured for web hosting, are given an AWS domain you can use to browse to it without setting up your own DNS. (eg: s3-website-us-west-2.amazonaws.com)

• When hosting a site as an S3 bucket, the bucket name (flaws.cloud) must match the domain name (flaws.cloud).

• Two people cannot have buckets with the same name. The result of this is you could create a bucket named apple.com and Apple would never be able host their main site via S3 hosting.

• Amazon provides information on managing access controls for buckets here. Furthermore, Amazon helps their users by publishing a best practices document on public access considerations around S3 buckets. The default configuration of an S3 bucket is private.

Common S3 Misconfigurations

• Unauthenticated Bucket Access – As the name implies, an S3 bucket can be configured to allow anonymous users to list, read, and or write to a bucket.

• Semi-public Bucket Access – An S3 bucket is configured to allow access to “authenticated users”. This unfortunately means anyone authenticated to AWS. A valid AWS access key and secret is required to test for this condition.

• Improper ACL Permissions – The ACL of the bucket has it’s own permissions which are often found to be world readable. This does not necessarily imply a misconfiguration of the bucket itself, however it may reveal which users have what type of access.

Passive Recon

Identify Region

• US Standard = http://s3.amazonaws.com

• Ireland = http://s3-eu-west-1.amazonaws.com

• Northern California = http://s3-us-west-1.amazonaws.com

• Singapore = http://s3-ap-southeast-1.amazonaws.com

• Tokyo = http://s3-ap-northeast-1.amazonaws.com

dig <domain>
nslookup <domain>

nslookup <IP>

• You could also use the GUI tool cyberduck to browse this bucket and it will figure out the region automatically.

Active Recon

Identify Bucket

• Check with a combination of subdomains, domains, and top level domains to determine if your target has a bucket on S3.

• For example, if we were to search for an S3 bucket belonging to www.rhinosecuritylabs.com, we might try bucket names rhinosecuritylabs.com, and www.rhinosecuritylabs.com.

S3 Bucket URL given by Amazon :

http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/

Exploiting S3 Permissions

• If the command returns a directory listing, you’ve successfully found a bucket with unfettered access permissions.

#Check for view access:
sudo aws s3 ls s3://$bucketname/ --no-sign-request --region $region  [ --recursive]