# 3. Exploit S3 buckets

S3 buckets are used by customers and end users to store text documents, PDFs, videos, images, etc. To store all these data, the user needs to create a bucket with a unique name.

Listed below are several techniques that can be adopted to identify AWS S3 Buckets:

* **Inspecting HTML**: Analyze the source code of HTML web pages in the background to find URLs to the target S3 buckets
* **Brute-Forcing URL**: Use Burp Suite to perform a brute-force attack on the target bucket’s URL to identify its correct URL
* **Finding subdomains**: Use tools such as Findsubdomains and Robtex to identify subdomains related to the target bucket
* **Reverse IP Search**: Use search engines such as Bing to perform reverse IP search to identify the domains of the target S3 buckets
* **Advanced Google hacking**: Use advanced Google search operators such as **“inurl”** to search for URLs related to the target S3 buckets

{% embed url="<https://youtu.be/P92cN2m6f08>" %}
Exploit S3 Buckets - Flaws.cloud level 1
{% endembed %}

## 1. Exploit s3 buckets using aws cli

{% embed url="<https://cavementech.com/2022/12/flaws-cloud-writeup.html>" %}
refer to the writeup
{% endembed %}

The AWS command line interface (CLI) is a unified tool for managing AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts. Before starting this task, you must create your AWS account (**<https://aws.amazon.com>**). First install it and configure a profile.

```
pip3 install aws-cli
aws --help
aws configure  \\to configure user profiles
```

It will ask for the following details:

* AWS Access Key ID
* AWS Secret Access Key
* Default region name
* Default output format

1. To provide these details, you need to login to your AWS account.
2. Click **Firefox** icon from the top-section of the **Desktop**.
3. Login to your AWS account that you created at the beginning of this task. Click the **Firefox** browser icon in the menu, type **<https://console.aws.amazon.com>** in the address bar, and press **Enter**.

   > If you do not have an AWS account, create one with the Basic Free Plan, and then proceed&#x20;

Click the AWS account drop-down menu and click **Security credentials**, as shown in the screenshot

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FfqOtNOGY6jSt1xS9MG7p%2Fimage.png?alt=media&#x26;token=6badff90-1f6b-4282-9b61-daa98989bcf2" alt=""><figcaption></figcaption></figure>

\
Scroll down to **Access Keys** section. Click the **Create Access Key** button. In **Continue to create access key?**; check the check box and click **Create access key**.&#x20;

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FIVPYbGGedIWTnLKSRN01%2Fimage.png?alt=media&#x26;token=15db8be0-a9a3-45d8-80ca-bb0192955478" alt=""><figcaption></figcaption></figure>

Copy the **Access Key** and switch to the **Terminal** window.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FWxIvP5pwwv8iir2011jV%2Fimage.png?alt=media&#x26;token=d99c0f37-7022-4fd8-9e93-f0d252b48e22" alt=""><figcaption></figcaption></figure>

\
In the terminal window, right-click your mouse; select **Paste** from the context menu to paste the copied **AWS Access Key ID** and press **Enter**. It will prompt you to the **AWS Secret Access Key**. Switch to your AWS Account in the browser.

Copy the **Secret Access Key** and minimize the browser window. Switch to the **Terminal** window.

In the terminal window, right-click your mouse, select **Paste** from the context menu to paste the copied **Secret Access Key** and press **Enter**. It will prompt you for the default region name.

In the **Default region name** field, type **eu-west-1** and press **Enter**.

The **Default output format** prompt appears; leave it as default and press **Enter**.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2F9izubCZWwWP6ram8V8N4%2Fimage.png?alt=media&#x26;token=f5698144-f8fd-40d5-893a-b057af9987c5" alt=""><figcaption></figcaption></figure>

Let us list the directories in the certifiedhacker02 bucket. In the terminal window, type

```
aws s3 ls s3://[Bucket Name]
```

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FMz7wVseqSEtkkXelS7qs%2Fimage.png?alt=media&#x26;token=faae68ca-e1f5-474e-a144-01432e423335" alt=""><figcaption></figcaption></figure>

Now, maximize the browser window, type **certifiedhacker02.s3.amazonaws.com** in the address bar, and press **Enter**. This will show you the complete list of directories and files available in this bucket.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FzxsKXiSGK8pjWpXTZw5G%2Fimage.png?alt=media&#x26;token=4dd9adb3-0067-40e0-b346-7f940af6e84f" alt=""><figcaption></figcaption></figure>

Let us move some files to the certifiedhacker02 bucket. To do this, in the terminal window, type **echo You have been hacked >> Hack.txt** and press **Enter**. By issuing this command, you are creating a file named **Hack.txt**.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2Ffpeo1oZGKmMAizF64pnJ%2Fimage.png?alt=media&#x26;token=913290ac-ad21-49e4-92f7-f2f5990d0c95" alt=""><figcaption></figcaption></figure>

\
Let us try to move the **Hack.txt** file to the **certifiedhacker02** bucket. In the terminal window, type

```
aws s3 mv Hack.txt s3://certifiedhacker02
```

You have successfully moved the **Hack.txt** file to the **certifiedhacker02** bucket.

To verify whether the file is moved, switch to the browser window and maximize it. Reload the page.

To delete the **Hack.txt** file from the **certifiedhacker02** bucket. In the terminal window, type

```
aws s3 rm s3://certifiedhacker02/Hack.txt 
```

By issuing this command, you have successfully deleted the **Hack.txt** file from the **certifiedhacker02** bucket.

<figure><img src="https://2218819509-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrUBnODuUX4EQ8P27uc5D%2Fuploads%2FTd93PhO0Vd6izBZon7oM%2Fimage.png?alt=media&#x26;token=c945fb7f-c709-4032-a626-ac8b60726cc4" alt=""><figcaption></figcaption></figure>

{% embed url="<https://youtu.be/hO_SbTj8Hts>" %}
Exploit S3 Buckets - Flaws.cloud level 2
{% endembed %}

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}
CEH Practical Course
{% endembed %}