3. Exploit S3 buckets
Using various techniques, you can exploit misconfigurations in bucket implementation and breach the security mechanism to compromise data privacy
S3 buckets are used by customers and end users to store text documents, PDFs, videos, images, etc. To store all these data, the user needs to create a bucket with a unique name.
Listed below are several techniques that can be adopted to identify AWS S3 Buckets:
Inspecting HTML: Analyze the source code of HTML web pages in the background to find URLs to the target S3 buckets
Brute-Forcing URL: Use Burp Suite to perform a brute-force attack on the target bucket’s URL to identify its correct URL
Finding subdomains: Use tools such as Findsubdomains and Robtex to identify subdomains related to the target bucket
Reverse IP Search: Use search engines such as Bing to perform reverse IP search to identify the domains of the target S3 buckets
Advanced Google hacking: Use advanced Google search operators such as “inurl” to search for URLs related to the target S3 buckets
1. Exploit s3 buckets using aws cli
The AWS command line interface (CLI) is a unified tool for managing AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts. Before starting this task, you must create your AWS account (https://aws.amazon.com). First install it and configure a profile.
It will ask for the following details:
AWS Access Key ID
AWS Secret Access Key
Default region name
Default output format
To provide these details, you need to login to your AWS account.
Click Firefox icon from the top-section of the Desktop.
Login to your AWS account that you created at the beginning of this task. Click the Firefox browser icon in the menu, type https://console.aws.amazon.com in the address bar, and press Enter.
If you do not have an AWS account, create one with the Basic Free Plan, and then proceed
Click the AWS account drop-down menu and click Security credentials, as shown in the screenshot
Scroll down to Access Keys section. Click the Create Access Key button. In Continue to create access key?; check the check box and click Create access key.
Copy the Access Key and switch to the Terminal window.
In the terminal window, right-click your mouse; select Paste from the context menu to paste the copied AWS Access Key ID and press Enter. It will prompt you to the AWS Secret Access Key. Switch to your AWS Account in the browser.
Copy the Secret Access Key and minimize the browser window. Switch to the Terminal window.
In the terminal window, right-click your mouse, select Paste from the context menu to paste the copied Secret Access Key and press Enter. It will prompt you for the default region name.
In the Default region name field, type eu-west-1 and press Enter.
The Default output format prompt appears; leave it as default and press Enter.
Let us list the directories in the certifiedhacker02 bucket. In the terminal window, type
Now, maximize the browser window, type certifiedhacker02.s3.amazonaws.com in the address bar, and press Enter. This will show you the complete list of directories and files available in this bucket.
Let us move some files to the certifiedhacker02 bucket. To do this, in the terminal window, type echo You have been hacked >> Hack.txt and press Enter. By issuing this command, you are creating a file named Hack.txt.
Let us try to move the Hack.txt file to the certifiedhacker02 bucket. In the terminal window, type
You have successfully moved the Hack.txt file to the certifiedhacker02 bucket.
To verify whether the file is moved, switch to the browser window and maximize it. Reload the page.
To delete the Hack.txt file from the certifiedhacker02 bucket. In the terminal window, type
By issuing this command, you have successfully deleted the Hack.txt file from the certifiedhacker02 bucket.
Last updated
