Exploiting Misconfigured AWS S3 Bucket

Hi Folks!

I have decided to write a series of Blogs on AWS Pen-Testing. Below is the First Blog in this series. I am starting with Exploiting Misconfigured AWS S3 Bucket.

In this Blog, I will guide you through AWS S3 Buckets, There Function and “How to exploit misconfigured S3 Bucket?”. If you do not know about S3 buckets then here is info about it,

AWS S3 Bucket:

S3 stands for, Simple Storage Service. S3 buckets are one of the primary resources that AWS uses to hold data. S3 buckets are great ways to hold
objects such as data and metadata.

However, much like other file storage solutions, S3 buckets can be easily exploited through simple misconfigurations. These misconfigurations can lead to data leaks and other serious security issues.

Before moving ahead, I strongly suggest readers should have some idea about AWS Regions and Availability Zones and Most importantly AWS CLI.

What is AWS CLI (Amazon Web Services Command-line Interface)?

The AWS CLI is a great command-line tool that allows you to interface with AWS technology such as S3 buckets, interacting with EC2 instances and others. The AWS CLI is a great way to learn and get comfortable with using a terminal-like interface because it allows you to interact with everything in your AWS environment.

Before installing AWS CLI first create free account on Amazon AWS. Below is the steps to install AWS CLI.

Now we will need to move forward and install the AWS CLI on our Kali Linux machine. This will be the command line we will use throughout this blog to interact with our AWS environment:

1. To begin, let’s check and see if the AWS CLI is already installed on our kali linux machine:

As you can notice, I have installed aws-cli 2.1.29 on my kali linux machine.

2. If you have an old version, you should see what version you have. If you haven’t used it in a while, it’s best to go ahead and reinstall it:

To uninstall,

Uninstalling aws-cli from kali linux

To install,

Installing aws-cli in kali linux

3. Double-check to ensure that your command-line interface successfully installed by running the --version switch again.

Configuring AWS-CLI with AWS Account:

To configure AWS-CLI with your AWS Test Account, you will require Access Key ID, Secret Access Key and Region.

1. Open Kali Linux Terminal.
2. Type aws configure in terminal.

Configuring AWSCLI

3. Go to your AWS Account and follow below steps to generate Secret Access Key, and Access Key ID.

Login to account and navigate to My Security Credentials Tab as shown below.

Configuring AWSCLI

You will get Access Key ID and Secret Access Key once you click on create new Access key button and download .csv file as given below:

Configuring AWSCLI

Below is the Content of .csv file

Configuring AWSCLI

Copy and paste access key ID, Secret Access Key, Region, Output Format into kali Linux terminal.

Configuring AWSCLI

aws s3 ls s3://svn/godaddy: This command is used to list list out the buckets in an S3 environment.

svn is not open publicly (not readable) but godaddy is publically open. It means our configuration works fine.

Open bucket can be viewed in browser like below:

Open S3 Bucket

Closed bucket [Exist but closed]can be shown as below in web browser,

Closed S3 Bucket

Important Note: If bucket is not accessible it does not mean that you cannot exploit it, still you can try to upload or move file to bucket and delete file from bucket with some good luck to report this vulnerability.

In next Step , If you are lucky enough you can move and delete file from this godaddy open bucket. Let’s try it.

Syntax for Move and Delete:

aws s3 mv [FILE NAME] s3://[BUCKET NAME]

For Example: aws s3 mv test.txt s3://godaddy

aws s3 rm s3://[BUCKET NAME]/ [FILE NAME]

For Example: aws s3 rm s3://godaddy/ test.txt

Move Failed Because Access Denied

Move Failed Because Access Denied

If you are lucky enough and public access is not restricted on bucket then you will get success message instead of Failed Message.

So, All the above steps are required to generate the POC to find and exploit misconfigured S3 Bucket.

Some Useful AWS-CLI Commands:

Once you’ve configured your AWS CLI, use the following command to get a list of commands:
$ aws help

The following command is useful to describe the attributes of an EC2 server:
$ aws ec2 describe instance

The next command will list out the buckets in an S3 environment:
$ aws s3 ls s3://

The last command we will mention is used to list out functions with Lambda:
$ aws lambda list-functions –-region <<region>>

How to Find S3 Buckets:

You can find S3 Buckets using S3 Bucket Finder Tool. Below are the steps to install S3 Bucket Finder.

Search google for s3 bucket finder.

Navigate to the Link.

Copy link address for 1.1 version https://digi.ninja/files/bucket_finder_1.1.tar.bz2 type following command in terminal.

curl “https://digi.ninja/files/bucket_finder_1.1.tar.bz2" -o “bucket-finder.zip”

unzip bucket-finder.zip [if unzip is not work unzip it manually from tools folder]

Now Paste all the enumerated subdomain prefix into wordlist file and run following command.

For Example:

Creating Wordlist

Finding S3 Buckets

Command: If you are using ruby script

cd tools/bucket-finder

./bucker-finder.rb wordlist.txt

Command: If you are using python script

cd tools/bucket-finder

python ./bucker-finder.py wordlist.txt DomainName 1

For Example: python bucket-finder.py wordlist.txt twitter 1

I will add some screenshot later on, with success message when I will be successfully exploiting some misconfigured S3 buckets in my pen-testing practices.

In my next Blog, I will add some deep info to find potential S3 Buckets using Python and Bash Scripting.

Please provide your valuable suggestions and feedback.

Thanks Readers!