#5. Bug Bounty Series: $$$ by AWS S3 Bucket misconfigurations
Hello guys š In this writeup, Iām going to explain how I was able to take control of target websiteās S3 bucket. So, without any further delay lets dive into the topic.
What is Amazon S3 Bucket?
S3 stands for simple storage service, and it is AWSās cloud storage service. S3 provides the ability to store, retrieve, access, and back up any amount of data at any time and place. As S3 is object-based storage, this means that all data is stored as objects.
What is s3 bucket takeover?
The AWS S3 Bucket Takeover is a powerful attack that targets misconfigured buckets on Amazonās cloud storage service. This attack allows attackers to access any private storage area belonging to an organization, access the data inside it, and take complete control of the bucket.
Impacts of s3 bucket takeover
Threat actors can use compromised AWS S3 Buckets in various malicious activities, such as:
- Conducting phishing attacks by creating fake websites
- Adding malware files to the compromised bucket can lead to supply chain attacks and similar threats
- Redirecting URLs to malicious sites or applications, which can compromise the organizationās virtual environments
So coming to the point, the target is *.example.com. I will explain the methods which I used to get the s3 bucket.
Recon process:
- First I was enumerating the subdomains for the *.target.com target using the Subfinder and Findomain tool .
subfinder -d target.com | httpx > target.txt
findomain -t target.com | httpx > targetfind.txt
- After collecting and sorting the unique subdomains, I checked the status/live of the application using httpx tool.
cat alldomains.txt | httpx -sc --title
I then began manually testing the juicy subdomains. When I was inspecting the source page of the website, I discovered the URL in the JS file from one of the subdomains where the s3 bucket name and other information. So I accessed the URL.
After accessing the URL it was giving the below error code.
Since the developer may have removed the S3 bucket, I was able to find this link when I searched for information on how to take control of this subdomain.
I followed the below steps to claim the s3 bucket.
- Go to S3 panel
- Click Create Bucket
- Set Bucket name to source domain name (i.e., the domain you want to take over)
- Click Next multiple times to finish
- Open the created bucket
- Click Upload
- Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use poc (without extension)
- In Permissions tab select Grant public read access to this object(s)
- After upload, select the file and click More -> Change metadata
- Click Add metadata, select Content-Type and value should reflect the type of document. If HTML, choose text/html, etc.
- (Optional) If the bucket was configured as a website
- Switch to Properties tab
- Click Static website hosting
- Select Use this bucket to host a website
- As an index, choose the file that you uploaded
- Click Save.
By the above steps I was successfully able to takeover the s3 bucket.
I submitted this issue to the program, and hurray, I received a bounty for reporting it.
So, thatās it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.
If you found it useful, please click the buttonšand share it with others who have similar interests! + Feedback is always appreciated!!š