📔
Cyber Security Notes
  • Introduction
  • CVEs
    • CVE-2022-33106
  • Paper Reviews
    • Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice
  • Security Basics Notes
    • Identification, Authentication and Authorization
  • Enumeration and Initial Compromise
    • Methodology
    • Footprinting
    • Network Protocols
      • FTP
      • SMB
      • DNS
      • NFS
      • SMTP
      • IMAP/POP3
      • SNMP
      • MySQL
      • MSSQL
      • Oracle TNS
      • IPMI
    • Nifty One Liners
    • Brute-Force Web Pages
      • Hydra
    • Network Pentest
      • Quick SMB cheatsheet
      • SSH keypair basics
      • Compromise using SSH Key
      • Networking fundamentals Interview topics
      • nmap quick cheatsheet
      • Metasploit Quick Reference
    • Web Pentest
      • Web Pentest Interview top topics
      • Wordpress Exploitation
      • Joomla Exploitation
      • Login Bypass using Cookie Tampering/Poisoning
      • Subdomain Enumeration
      • CSRF mitigation
      • XSS mitigation
      • CSP bypass with JSONP
      • PHP Vulnerabilities
      • Python Serialization Vulnerabilities - Pickle
      • SQL Injections
        • SQLmap
      • SSTI
      • XSS
    • Buffer Overflow Prep
      • Understanding CPUs
      • Virtual Memory and Paging
      • Syscalls
      • Theorem Proving
      • Stripping readable function names
      • Insecure C functions
      • Stack Canaries
      • Linking - GOT,PLT
      • Return Oriented Programming
    • Active Directory - Basics
      • AD DS
      • Managing OUs
      • Group Policies
      • Authentications
      • Trees, Forests and Trusts
      • Kerberos
      • Attacking Kerberos
      • Priv Esc (Post Exploitation)
    • DNS/Domain Enum Masterguide
  • Post Exploitation
    • Shell Escape Techniques
    • Getting stable shell after compromise
    • Linux Privilege Escalation
      • Sudoers file
      • Sudoers entry - Yum
      • Wildcards - Basics
      • Wildcards - Chown
      • Wildcards - Tar
      • Linux Permissions & SUID/SGID/Sticky Bit
      • SUID - nmap
      • SUID - bash
      • SUID - man
      • NFS no_root_squash
      • SUID - pkexec
      • Bad permissions
    • Windows Privilege Escalation
      • SeImpersonatePrivilege Token Impersonation
      • Firefox Creds
      • Potatoes
      • Print Spooler Basics
      • Print Spooler CVE 2020-1030
      • SpoolFool
    • Data Exfiltration Post Exploitation
  • Port Forwarding Cheatsheet
  • Powershell Essentials
    • Powershell Basics
    • Powershell Enumeration
    • Powershell Port Scanner
    • Powershell One Liner Port Scanning
    • Powershell Port Scan in a given CIDR
  • Application Security
    • System Calls in Linux
    • Buffer Overflow Defenses
    • Format string vulnerabilities
    • Sample Github Actions
    • Basic Bugs in Demo Application
    • Using AFL++
  • Linux 64-bit Assembly
    • GDB Basics
      • My relevant GDB cheatsheet
      • Task 1 - Tamper strcmp logic
      • Breakpoints
      • Always starting with intel flavor
      • GDB TUI Mode
    • Basic Hello World Program
    • Registers in 64-bit
    • global directive
    • Reducing instructions and Removing NULL-> Optimizing memory in Assembly
    • Data Types
    • Endianness
    • Moving Data
    • push, pop, and the stack
    • Analysis - Writing data on memory location and referencing
    • Arithmetic Operations
    • Bitwise Logical Operations
    • Bit-Shifting Operations
    • Control Instructions
    • Loops
    • Procedures
    • Stack-Frames and Procedures
    • String Operations
    • Shellcoding basics
      • Introduction and Common Rules
      • Basic Shellcodes->Exit
      • Testing shellcode->Skeleton Code
      • Techniques-> JMP,CALL,POP
      • Techniques-> Stack
      • Techniques-> (64-bit only) RIP Relative Addressing
      • Shellcode 1 -> execve(/bin/sh) STACK PUSH
      • Shellcode 1 -> execve(/bin/sh) JMP CALL POP
      • Techniques-> XOR-Encoder
  • Cloud Security
    • Foundational Technology
    • Learning Through Project Omega
    • IAM Essentials
      • Deep dive into IAM - Part 1
    • Amazon S3
    • Risk Management & Data Controls
    • Enumeration
      • S3 - Enum Basics - PwnedLabs
      • S3 - Identify the AWS Account ID from a Public S3 Bucket
      • EBS - Loot Public EBS Volumes
      • S3- Exploit Weak Bucket Policies for Privileged Access
  • API Security
    • WSDL
  • Reverse Engineering
    • Some string Operations
    • Numbers and Inputs
    • Address inputs
    • Recursive Function
    • Crackme: level1
    • Crackme: level2
    • CTF: Memory Dereferencing
    • CTF: Monty Python
  • CTF Challenge Learnings
    • vsCTF 2024
      • Sanity Check
      • not-quite-caesar
      • Intro to reversing
    • NCL Individual 2024
      • Web Challenges
        • PiratePals
        • Pierre's Store
    • Pico CTF 2024
      • Web Exploitation
        • Bookmarklet
        • WebDecode
        • Unminify
        • Trickster
      • General Skills
        • Commitment Issues
        • Time Machine
        • Blame Game
        • Collaborative Development
        • Binary Search
        • Dont-you-love-banners
    • Sunshine CTF
      • Knowledge Repository
    • Amazon WiCys CTF
      • I am Lazy
      • Password Locker on the Web
      • Happy Birthday Card Generator
      • Bloggergate
      • simple offer
      • Bad Actor
      • Secret Server
      • Simple PCAP
      • Hidden Message
    • C code using getenv()
    • Command Injection with filter
    • Pwning
      • Shoddy_CMP
      • PLT_PlayIT
  • Applied Cryptography
    • Linear Congruential Generator
  • Tools for everything
Powered by GitBook
On this page

Was this helpful?

  1. Cloud Security
  2. Enumeration

S3 - Enum Basics - PwnedLabs

PreviousEnumerationNextS3 - Identify the AWS Account ID from a Public S3 Bucket

Last updated 2 months ago

Was this helpful?

For example we have a website that is fetching resources from an S3 bucket. In the view source we spot the following:

In AWS we have the following type of buckets:

1. Amazon S3 Buckets (Object Storage)
General-Purpose Buckets – For storing any kind of object (files, images, logs, backups, etc.).
Static Website Hosting Buckets – Configured to serve a website directly from S3.
Logging Buckets – Used for storing access logs from CloudTrail, ALB, or S3 itself.
Data Lake Buckets – Used for storing large-scale data for analytics (e.g., AWS Lake Formation).
Backup Buckets – Used to store backups from AWS Backup or other services.
Machine Learning Data Buckets – For training ML models with AWS SageMaker.

  1. Every object in a bucket has a URL that can be used to access it. As Amazon states: "Every object is contained in a bucket. For example, if the object named photos/puppy.jpg is stored in the amzn-s3-demo-bucket bucket in the US West (Oregon) Region, then it is addressable by using the URL https://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpg"

  2. Most AWS documentation now suggests using the virtual-hosted style URL format, where the bucket name appears as a subdomain:

    https://<bucket-name>.s3.<region>.amazonaws.com/<object-path>

    For example, if the bucket is amzn-s3-demo-bucket in us-west-2, an object called photos/puppy.jpg would be accessed at:

    https://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpg

    This is now the default method for accessing objects in newer AWS regions. 2️⃣ Path-Style URL (Older Format, Used in Some Cases)

    The URL you provided follows the older path-style access method:

    https://s3.amazonaws.com/<bucket-name>/<object-path>

    Your example:

    https://s3.amazonaws.com/dev.huge-logistics.com/static/style.css

    Here:

    • s3.amazonaws.com is the base S3 endpoint.

    • dev.huge-logistics.com is the bucket name.

    • /static/style.css is the object path.

    AWS allowed this format for a long time, but in 2019, AWS announced that path-style URLs are being deprecated for new buckets in most regions. However, older buckets or buckets in legacy regions (like us-east-1) still support it.

  3. Okay so we can enumerate it.

Any command help in AWS is generally in the format:

aws <module> <additional API call (if any)> help

So, aws s3 help would tell that you can run "ls" to enumerate

aws s3 ls s3://dev.huge-logistics.com/admin --no-sign-request

The following command would do a recursive "ls." If it can't access anything it would throw an error.

aws s3 ls s3://dev.huge-logistics.com/admin --no-sign-request --recursive

Similarly one can look in a specific folder by appending the folder name in the URL

aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request
aws s3 ls s3://dev.huge-logistics.com/static/ --no-sign-request

However, we don't have access to admin and migration-files right now. We can copy the hl_migration_project.zip to current folder like so:

aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip . --no-sign-request

We see access keys in one of the files. This is a bad practice.

We can configure these credentials using "aws configure" command and access other folders

But I couldn't access these. So I accessed other folder

It had this line:

<CredentialEntry>
        <ServiceType>AWS IT Admin</ServiceType>
        <AccountID>794929857501</AccountID>
        <AccessKeyID>AKIA3SFMDAPOQRFWFGCD</AccessKeyID>
        <SecretAccessKey>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</SecretAccessKey>
        <Notes>AWS credentials for production workloads. Do not share these keys outside of the organization.</Notes>
    </CredentialEntry>

^ I configured the compromised access keys and accessed the flag that way.

From the AWS documentation , we observe the following:

In our source code above, we have "" which means name of the bucket is dev.huge-logistics.com. Although it is not in the format stated above. GPT explains this: 1️⃣ Virtual-Hosted Style URL (Modern Default)

here
https://s3.amazonaws.com/dev.huge-logistics.com/static/style.css