AWS - S3 Post Exploitation

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:


For more information check:

Sensitive Information

Sometimes you will be able to find sensitive information in readable in the buckets. For example, terraform state secrets.


Different platforms could be using S3 to store sensitive assets. For example, airflow could be storing DAGs code in there, or web pages could be directly served from S3. An attacker with write permissions could modify the code from the bucket to pivot to other platforms, or takeover accounts modifying JS files.

S3 Ransomware

In this scenario, the attacker creates a KMS (Key Management Service) key in their own AWS account or another compromised account. They then make this key accessible to anyone in the world, allowing any AWS user, role, or account to encrypt objects using this key. However, the objects cannot be decrypted.
The attacker identifies a target S3 bucket and gains write-level access to it using various methods. This could be due to poor bucket configuration that exposes it publicly or the attacker gaining access to the AWS environment itself. The attacker typically targets buckets that contain sensitive information such as personally identifiable information (PII), protected health information (PHI), logs, backups, and more.
To determine if the bucket can be targeted for ransomware, the attacker checks its configuration. This includes verifying if S3 Object Versioning is enabled and if multi-factor authentication delete (MFA delete) is enabled. If Object Versioning is not enabled, the attacker can proceed. If Object Versioning is enabled but MFA delete is disabled, the attacker can disable Object Versioning. If both Object Versioning and MFA delete are enabled, it becomes more difficult for the attacker to ransomware that specific bucket.
Using the AWS API, the attacker replaces each object in the bucket with an encrypted copy using their KMS key. This effectively encrypts the data in the bucket, making it inaccessible without the key.
To add further pressure, the attacker schedules the deletion of the KMS key used in the attack. This gives the target a 7-day window to recover their data before the key is deleted and the data becomes permanently lost.
Finally, the attacker could upload a final file, usually named "ransom-note.txt," which contains instructions for the target on how to retrieve their files. This file is uploaded without encryption, likely to catch the target's attention and make them aware of the ransomware attack.
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks: