Misconfigurations are bound to happen. Now more then ever when more orgs are moving to the cloud, especially in COVID times. Administrators who have generally worked with onprem infrastructure now need to ‘quickly’ setup services and migrate to the cloud. This can cause services to be incorrectly configured.
Is secure by default. Can be made public. Nslookup can help reveal region.
# list contents of bucket
aws s3 ls s3://<bucketname>/
# download contents of bucket
aws s3 sync s3://<bucketname>/ local-dir
# s3 code injection
aws s3 mv evil-script.html s3://<bucketname>/evil-script.html
Tools: - cloud_enum # MOVE TO OWN TOOLS PAGE
Look for 404’s to *.s3.amazonaws.com. If a bucket name is not in use you can register it and load your content on the site.
AWS Virutal harddisks. They can have similar issues to s3 being public.
Tool: dufflebag # MOVE TO OWN TOOLS PAGE
AWS Explotation framework.
Basically Microsoft version of S3. Blob storage is for unstructed data. Containers and blobs can be publicly accessible via access policies The URLs are predictable.
storage-account-name.blob.core.windows.net
storage-account-name.file.core.windows.net
storage-account-name.table.core.windows.net
storage-account-name.queue.core.windows.net
Access can be granted on the blob or container.
Blob access policy means anyone read a blob, but cant list other blobs in a container
Container access policy alowes listing contianers and blobs.
Tools:
GCP has storage called buckets.
Tools:
Setup the AWS CLI with a user that has AmazonS3FullAccess permission AWS Access keys.
Run cloud_enum
python3 cloud_enum.py -k <OrgName>
If it returns a bucket you can list/download the contents with the AWS CLI
aws s3 ls s3://bucketname
If you can write you can add content to the bucket with the AWS CLI
aws s3 mv malware.html s3://bucketname/malware.html
If you see a 404 to *.s3.amazonaws.com you can highjack the site that tries to load this bucket. s3 buckets automatically get a CNAME according to their name, if they are removed but the site till uses them you can create a new bucket under that name, giving you control over the website.
Name | Description |
---|