Exploiting CEH S3 Bucket Part-3

Exploiting CEH S3 Bucket Part-3

·

5 min read

Introduction

AWS Bucket allows customers and end users to utilize S3 buckets to store a wide range of content, including text documents, PDFs, videos, images, and more. To store this diverse array of data, users are required to establish a unique-named bucket.

Here are several techniques that can be employed to discover AWS S3 Buckets:

  • HTML Inspection: Analyze the source code of HTML web pages in the background to locate URLs leading to the desired S3 buckets.

  • URL Brute-Forcing: Utilize Burp Suite to conduct a brute-force attack on the URL of the target bucket, aiming to identify the correct URL.

  • Subdomain Identification: Leverage tools like Findsubdomains and Robtex to detect subdomains associated with the intended bucket.

  • Reverse IP Search: Utilize search engines such as Bing to perform a reverse IP search, revealing the domains linked to the target S3 buckets.

  • Advanced Google Hacking: Employ advanced Google search operators such as "inurl" to search for URLs connected to the desired S3 buckets.

Target Bucket

The target bucket for this lab is http://certifiedhacker1.s3.amazonaws.com/. EC-Council deliberately set this bucket in a public state for educational purposes.

Lab Task

In this lab, you are tasked with

  • Installing AWS CLI

  • Creating an IAM user account with Access key credentials

  • Exploit content within the S3 bucket

You can check flaws.cloud walkthrough (level 1-6) on exploiting S3 misconfigured buckets.

Installing AWS CLI

For this lab, we have already installed AWS CLI on a Parrot virtual machine.

Check out AWS documentation on installing AWS CLI on Linux or any operating system of your choice. or check the write-up of part-1 of this series for a guide.

Creating an IAM user account with Access key credentials

  • Sign in to your AWS management console and search for IAM

  • In IAM Dashboard, navigate to User on the left plan and click on Add User

  • Next, supply details (e.g name of the user) and create a user

  • Navigate to your created IAM user information page and create programmatic access keys

Check flaws.cloud walkthrough Level - 2: Insecure S3 Buckets for guidance on creating an IAM user account with Access keys credentials

Exploiting content within the S3 bucket

The reason for not creating an IAM user account is that AWS has a command called --no-sign-request an option, which allows the AWS CLI to make requests without requiring any sign-in credentials.

The command is also called the “anonymous access feature

  • After installing AWS CLI, open your command prompt (Windows) or terminal (Linux/macOS) and type the command then press enter.
aws s3 ls s3://certifiedhacker1 --no-sign-request

For this lab, we are using Linux (Parrot OS)

By executing the command above, it listed the content in certifiedhacker1 bucket.

  • Now, let’s view the Permissions associated with the bucket (certifiedhacker1) using the command
aws s3api get-bucket-acl --bucket certifiedhacker1 --no-sign-request

Press Ctrl + Z to exit

From the resulting screenshot above, the bucket name (certifiedhacker1) has a FULL_CONTROL Permission. This means that anyone on the internet who has access to the bucket can:

  1. Read: Anyone can view the contents of the bucket and retrieve objects stored within it.

  2. Write: Anyone can add new objects to the bucket or overwrite existing objects.

  3. Delete: Anyone can remove objects from the bucket.

  4. List: Anyone can retrieve a listing of all objects present in the bucket.

  5. Modify Permissions: Anyone can modify the access control permissions associated with the bucket and its objects.

  6. Change Bucket Configuration: Anyone can modify the bucket's settings and configuration options.

Adding new objects to the bucket

Let’s create a text file and move it into (certifiedhacker1) S3 bucket

  • Execute the following command to create a text file on your desktop:
# to change present working directory to Desktop
$cd Desktop

# Creating a text file with vim editor. Type 
$vim Hello-World.txt
# Type the text "You have be hacked" in the vim editor

Note: To exit from the Vim editor:

  1. Press the Esc key to ensure you are in the command mode (if you are currently in insert mode).

  2. Type :wq! and press Enter.

  • To confirm Hello-World.txt was properly saved, type cat Hello-World.txt

  • Type the command to move Hello-World.txt to (certifiedhacker1) S3 bucket
aws s3 mv Hello-World.txt s3://certifiedhacker1 --no-sign-request

  • To confirm if the file has been successfully moved, enter the following command.
aws s3 ls s3://certifiedhacker1 --no-sign-request

You can also view the bucket via any browser using the bucket URL http://certifiedhacker1.s3.amazonaws.com/

Mini-Task for you

You are tasked with downloading the content of the bucket (certifiedhacker1) on your computer and then, viewing the pdf files in the bucket to determine if they are confidential files or not

  • Use the command to download the content of the S3 bucket (certifiedhacker1) on your computer

      # Firstly you need to create a directory or folder (your pwd should be Desktop)
      $cd Desktop
    
      # create a directory or folder 
      $mkdir EC3-file # <any name of your choice>
    
# Command to execute
aws s3 sync s3://certifiedhacker1 local-folder --no-sign-request

## Replace **local-folder** with the path to the local directory where you want to save the downloaded files.

# After creating a directory on your Desktop, you should have your command as:
aws s3 sync s3://certifiedhacker1 ~/Desktop/EC3-file --no-sign-request

# check the content of the directory or folder 
$cd EC3-file
$ls #<list what is in dirctory>

# Next, view the pdf files in the bucket if they are confidential files or not 
you can use command-line tools such as evince, xpdf, or pdftotext to view the files

Replace local-folder with the path to the local directory where you want to save the downloaded files.

Deleting Created Resource

Since the bucket http://certifiedhacker1.s3.amazonaws.com/ by EC-Council is deliberately set as a public bucket for educational purposes. It is recommended to delete any resources added to the bucket.

  • Use the command to remove Hello-World.txt file added to the bucket
aws s3 rm s3://certifiedhacker1/Hello-World.txt --no-sign-request

  • To verify that the file Hello-World.txt was successfully removed, use the command:
aws s3 ls s3://certifiedhacker1 --no-sign-request

Did you find this article valuable?

Support Everything ~ Cloud Security by becoming a sponsor. Any amount is appreciated!