Swahili - Ht Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - S3 Unauthenticated Enum

Support HackTricks

S3 Public Buckets

Ndoo inachukuliwa kuwa “public” ikiwa mtumiaji yeyote anaweza kuorodhesha yaliyomo ya ndoo, na “private” ikiwa yaliyomo kwenye ndoo yanaweza kuorodheshwa au kuandikwa na watumiaji fulani tu.

Kampuni zinaweza kuwa na ruhusa za ndoo zilizosanidiwa vibaya zinazotoa ufikiaji kwa kila kitu au kwa kila mtu aliyethibitishwa katika AWS katika akaunti yoyote (kwa hivyo kwa mtu yeyote). Kumbuka, hata na mipangilio mibaya kama hiyo baadhi ya vitendo vinaweza kuwa haviwezi kufanywa kwani ndoo zinaweza kuwa na orodha zao za udhibiti wa ufikiaji (ACLs).

Jifunze kuhusu usumbufu wa AWS-S3 hapa: http://flaws.cloud na http://flaws2.cloud/

Kutafuta Ndoo za AWS

Mbinu tofauti za kutafuta wakati ukurasa wa wavuti unatumia AWS kuhifadhi baadhi ya rasilimali:

Enumeration & OSINT:

  • Kutumia wappalyzer browser plugin

  • Kutumia burp (spidering wavuti) au kwa kuvinjari kwa mikono kupitia ukurasa rasilimali zote zilizopakiwa zitaokolewa kwenye Historia.

  • Angalia rasilimali katika vikoa kama:

http://s3.amazonaws.com/[bucket_name]/
http://[bucket_name].s3.amazonaws.com/

  • Angalia CNAMES kama resources.domain.com inaweza kuwa na CNAME bucket.s3.amazonaws.com

  • Angalia https://buckets.grayhatwarfare.com, tovuti yenye ndoo wazi zilizogunduliwa tayari.

  • Jina la ndoo na jina la kikoa cha ndoo lazima ziwe sawa.

  • flaws.cloud iko katika IP 52.92.181.107 na ukienda huko inakuelekeza kwa https://aws.amazon.com/s3/. Pia, dig -x 52.92.181.107 inatoa s3-website-us-west-2.amazonaws.com.

  • Ili kuangalia kama ni ndoo unaweza pia kutembelea https://flaws.cloud.s3.amazonaws.com/.

Brute-Force

Unaweza kupata ndoo kwa brute-forcing majina yanayohusiana na kampuni unayofanya pentesting:

# Generate a wordlist to create permutations
curl -s https://raw.githubusercontent.com/cujanovic/goaltdns/master/words.txt > /tmp/words-s3.txt.temp
curl -s https://raw.githubusercontent.com/jordanpotti/AWSBucketDump/master/BucketNames.txt >>/tmp/words-s3.txt.temp
cat /tmp/words-s3.txt.temp | sort -u > /tmp/words-s3.txt

# Generate a wordlist based on the domains and subdomains to test
## Write those domains and subdomains in subdomains.txt
cat subdomains.txt > /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "-" >> /tmp/words-hosts-s3.txt
cat subdomains.txt | tr "." "\n" | sort -u >> /tmp/words-hosts-s3.txt

# Create permutations based in a list with the domains and subdomains to attack
goaltdns -l /tmp/words-hosts-s3.txt -w /tmp/words-s3.txt -o /tmp/final-words-s3.txt.temp
## The previous tool is specialized increating permutations for subdomains, lets filter that list
### Remove lines ending with "."
cat /tmp/final-words-s3.txt.temp | grep -Ev "\.$" > /tmp/final-words-s3.txt.temp2
### Create list without TLD
cat /tmp/final-words-s3.txt.temp2 | sed -E 's/\.[a-zA-Z0-9]+$//' > /tmp/final-words-s3.txt.temp3
### Create list without dots
cat /tmp/final-words-s3.txt.temp3 | tr -d "." > /tmp/final-words-s3.txt.temp4http://phantom.s3.amazonaws.com/
### Create list without hyphens
cat /tmp/final-words-s3.txt.temp3 | tr "." "-" > /tmp/final-words-s3.txt.temp5

## Generate the final wordlist
cat /tmp/final-words-s3.txt.temp2 /tmp/final-words-s3.txt.temp3 /tmp/final-words-s3.txt.temp4 /tmp/final-words-s3.txt.temp5 | grep -v -- "-\." | awk '{print tolower($0)}' | sort -u > /tmp/final-words-s3.txt

## Call s3scanner
s3scanner --threads 100 scan --buckets-file /tmp/final-words-s3.txt  | grep bucket_exists

Loot S3 Buckets

Kwa kuzingatia ndoo za S3 wazi, BucketLoot inaweza kutafuta taarifa za kuvutia kiotomatiki.

Pata Eneo

Unaweza kupata maeneo yote yanayoungwa mkono na AWS katika https://docs.aws.amazon.com/general/latest/gr/s3.html

Kwa DNS

Unaweza kupata eneo la ndoo kwa kutumia dig na nslookup kwa kufanya ombi la DNS la IP iliyogunduliwa:

dig flaws.cloud
;; ANSWER SECTION:
flaws.cloud.    5    IN    A    52.218.192.11

nslookup 52.218.192.11
Non-authoritative answer:
11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.

Angalia kwamba kikoa kilichotatuliwa kina neno "website". Unaweza kufikia tovuti tuli kwa kwenda: flaws.cloud.s3-website-us-west-2.amazonaws.com au unaweza kufikia ndoo kwa kutembelea: flaws.cloud.s3-us-west-2.amazonaws.com

Kwa Kujaribu

Ukijaribu kufikia ndoo, lakini katika jina la kikoa unataja eneo lingine (kwa mfano ndoo iko bucket.s3.amazonaws.com lakini unajaribu kufikia bucket.s3-website-us-west-2.amazonaws.com, basi utaelekezwa kwenye eneo sahihi:

Kuweka ndoo

Ili kujaribu uwazi wa ndoo mtumiaji anaweza tu kuingiza URL kwenye kivinjari chao cha wavuti. Ndoo ya kibinafsi itajibu na "Access Denied". Ndoo ya umma itaorodhesha vitu 1,000 vya kwanza vilivyohifadhiwa.

Wazi kwa kila mtu:

Binafsi:

Unaweza pia kuangalia hii na cli:

#Use --no-sign-request for check Everyones permissions
#Use --profile <PROFILE_NAME> to indicate the AWS profile(keys) that youwant to use: Check for "Any Authenticated AWS User" permissions
#--recursive if you want list recursivelyls
#Opcionally you can select the region if you now it
aws s3 ls s3://flaws.cloud/ [--no-sign-request] [--profile <PROFILE_NAME>] [ --recursive] [--region us-west-2]

Ikiwa ndoo haina jina la kikoa, wakati wa kujaribu kuorodhesha, weka jina la ndoo pekee na siyo kikoa chote cha AWSs3. Mfano: s3://<BUCKETNAME>

Kiolezo cha URL ya Umma

https://{user_provided}.s3.amazonaws.com

Pata Kitambulisho cha Akaunti kutoka kwa Bucket ya Umma

Inawezekana kubaini akaunti ya AWS kwa kutumia S3:ResourceAccount Policy Condition Key mpya. Hali hii inazuia ufikiaji kulingana na S3 bucket ambayo akaunti iko ndani (sera zingine za akaunti zinazuia kulingana na akaunti ambayo mwombaji mkuu yuko ndani). Na kwa sababu sera inaweza kuwa na wildcards inawezekana kupata nambari ya akaunti nambari moja kwa wakati mmoja.

Chombo hiki kinachakata mchakato:

# Installation
pipx install s3-account-search
pip install s3-account-search
# With a bucket
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket
# With an object
s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/object.ext

Mbinu hii pia inafanya kazi na API Gateway URLs, Lambda URLs, Data Exchange data sets na hata kupata thamani ya tags (ikiwa unajua tag key). Unaweza kupata maelezo zaidi katika tafiti asilia na zana conditional-love ili kuendesha unyonyaji huu kiotomatiki.

Kuthibitisha ndoo inamilikiwa na akaunti ya AWS

Kama ilivyoelezwa katika blogi hii, ikiwa una ruhusa za kuorodhesha ndoo inawezekana kuthibitisha accountID ambayo ndoo inamilikiwa kwa kutuma ombi kama:

curl -X GET "[bucketname].amazonaws.com/" \
-H "x-amz-expected-bucket-owner: [correct-account-id]"

<?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult>

Ikiwa kosa ni "Access Denied" inamaanisha kwamba ID ya akaunti ilikuwa si sahihi.

Kutumia Barua Pepe kama uorodheshaji wa akaunti ya root

Kama ilivyoelezwa katika blogi hii, inawezekana kuangalia kama anwani ya barua pepe inahusiana na akaunti yoyote ya AWS kwa kujaribu kutoa ruhusa za barua pepe juu ya ndoo ya S3 kupitia ACLs. Ikiwa hii haileti kosa, inamaanisha kwamba barua pepe ni mtumiaji wa root wa akaunti fulani ya AWS:

s3_client.put_bucket_acl(
Bucket=bucket_name,
AccessControlPolicy={
'Grants': [
{
'Grantee': {
'EmailAddress': 'some@emailtotest.com',
'Type': 'AmazonCustomerByEmail',
},
'Permission': 'READ'
},
],
'Owner': {
'DisplayName': 'Whatever',
'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef'
}
}
)

Marejeo

Support HackTricks
PreviousAWS - SNS Unauthenticated EnumNextAzure Pentesting

Last updated