Misconfigured Cloud Assets

Misconfigurations are bound to happen. Now more then ever when more orgs are moving to the cloud, especially in COVID times. Administrators who have generally worked with onprem infrastructure now need to ‘quickly’ setup services and migrate to the cloud. This can cause services to be incorrectly configured.

AWS

Amazon Simple Storage Service (S3)

Is secure by default. Can be made public. Nslookup can help reveal region.

Public S3

AWS cli

# list contents of bucket
aws s3 ls s3://<bucketname>/

# download contents of bucket
aws s3 sync s3://<bucketname>/ local-dir

# s3 code injection
aws s3 mv evil-script.html s3://<bucketname>/evil-script.html

Tools: - cloud_enum # MOVE TO OWN TOOLS PAGE

S3 domain hijacking

Look for 404’s to *.s3.amazonaws.com. If a bucket name is not in use you can register it and load your content on the site.

Elastic Block Storage (EBS) Volumes

AWS Virutal harddisks. They can have similar issues to s3 being public.

Tool: dufflebag # MOVE TO OWN TOOLS PAGE

Pacu

AWS Explotation framework.

Azure

Public Azure Blobs

Basically Microsoft version of S3. Blob storage is for unstructed data. Containers and blobs can be publicly accessible via access policies The URLs are predictable.

storage-account-name.blob.core.windows.net storage-account-name.file.core.windows.net storage-account-name.table.core.windows.net storage-account-name.queue.core.windows.net

Access to blobs

Access can be granted on the blob or container.

  • Blob access policy means anyone read a blob, but cant list other blobs in a container

  • Container access policy alowes listing contianers and blobs.

Tools:

Google Cloud Platform (GCP)

GCP has storage called buckets.

Tools:

Extra: s3 bucket fun

Setup the AWS CLI with a user that has AmazonS3FullAccess permission AWS Access keys.

Run cloud_enum

python3 cloud_enum.py -k <OrgName>

If it returns a bucket you can list/download the contents with the AWS CLI

aws s3 ls s3://bucketname

If you can write you can add content to the bucket with the AWS CLI

aws s3 mv malware.html s3://bucketname/malware.html

Domain Hijacking

If you see a 404 to *.s3.amazonaws.com you can highjack the site that tries to load this bucket. s3 buckets automatically get a CNAME according to their name, if they are removed but the site till uses them you can create a new bucket under that name, giving you control over the website.

Name Description