Skip to content

S3

S3

Viewable Buckets

List of S3 Buckets:
https://github.com/hehnope/slurp
https://github.com/sa7mon/S3Scanner

Info https://blog.intigriti.com/hacking-tools/hacking-misconfigured-aws-s3-buckets-a-complete-guide

Global Viewable (Anonymous)

Check if buckets can be viewable:
AWS

Do not use the Everyone option for Grantee

List files:

aws s3 --no-sign-request ls s3://<BUCKET_NAME>

Download single file:

aws s3 --no-sign-request cp s3://<BUCKET_NAME>/<FILE_NAME> <OUTPUT_FOLDER>

Sync whole bucket (download):

aws s3 --no-sign-request sync s3://<BUCKET_NAME> <OUTPUT_FOLDER>

Upload file:

aws s3 --no-sign-request cp <FILE_NAME> s3://<BUCKET_NAME>

Viewable by other S3 Users

Sometimes s3 buckets have been mistakenly configured to enable any user from any AWS account to authenticate
to resources within the s3 bucket. In this manner resources seem secure as the anonymous attempts will fail but if an attacker has an AWS account of there own, they may be able to leverage their own account to access the resources within another account.

Check if buckets can be viewable by other s3 users:

aws s3 ls s3://level2-c8b217a33fcf1f839f6f1f73a00a9ae7.flaws.cloud

Do not use the Any Authenticated AWS User option for Grantee

Get AWS region for bucket:

aws s3api get-bucket-location --bucket <BUCKET_NAME>

List object in bucket:

aws s3 ls --region=us-east-2 s3://<BUCKET_NAME>

Source

Clone the S3 info

Clone S3 bucket to file system:

aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2