#5. Bug Bounty Series: $$$ by AWS S3 Bucket misconfigurations

Cyb3r M!nds
4 min readSep 17, 2024

--

Hello guys šŸ‘‹ In this writeup, Iā€™m going to explain how I was able to take control of target websiteā€™s S3 bucket. So, without any further delay lets dive into the topic.

What is Amazon S3 Bucket?

S3 stands for simple storage service, and it is AWSā€™s cloud storage service. S3 provides the ability to store, retrieve, access, and back up any amount of data at any time and place. As S3 is object-based storage, this means that all data is stored as objects.

What is s3 bucket takeover?

The AWS S3 Bucket Takeover is a powerful attack that targets misconfigured buckets on Amazonā€™s cloud storage service. This attack allows attackers to access any private storage area belonging to an organization, access the data inside it, and take complete control of the bucket.

Impacts of s3 bucket takeover

Threat actors can use compromised AWS S3 Buckets in various malicious activities, such as:

  • Conducting phishing attacks by creating fake websites
  • Adding malware files to the compromised bucket can lead to supply chain attacks and similar threats
  • Redirecting URLs to malicious sites or applications, which can compromise the organizationā€™s virtual environments

So coming to the point, the target is *.example.com. I will explain the methods which I used to get the s3 bucket.

Recon process:

  • First I was enumerating the subdomains for the *.target.com target using the Subfinder and Findomain tool .
subfinder -d target.com | httpx > target.txt

findomain -t target.com | httpx > targetfind.txt
  • After collecting and sorting the unique subdomains, I checked the status/live of the application using httpx tool.
cat alldomains.txt | httpx -sc --title

I then began manually testing the juicy subdomains. When I was inspecting the source page of the website, I discovered the URL in the JS file from one of the subdomains where the s3 bucket name and other information. So I accessed the URL.

After accessing the URL it was giving the below error code.

Since the developer may have removed the S3 bucket, I was able to find this link when I searched for information on how to take control of this subdomain.

I followed the below steps to claim the s3 bucket.

  1. Go to S3 panel
  2. Click Create Bucket
  3. Set Bucket name to source domain name (i.e., the domain you want to take over)
  4. Click Next multiple times to finish
  5. Open the created bucket
  6. Click Upload
  7. Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use poc (without extension)
  8. In Permissions tab select Grant public read access to this object(s)
  9. After upload, select the file and click More -> Change metadata
  10. Click Add metadata, select Content-Type and value should reflect the type of document. If HTML, choose text/html, etc.
  11. (Optional) If the bucket was configured as a website
  12. Switch to Properties tab
  13. Click Static website hosting
  14. Select Use this bucket to host a website
  15. As an index, choose the file that you uploaded
  16. Click Save.

By the above steps I was successfully able to takeover the s3 bucket.

I submitted this issue to the program, and hurray, I received a bounty for reporting it.

So, thatā€™s it for now and thanks for reading and I appreciate you taking the time to read. For other such writeups do visit the writeups.

If you found it useful, please click the buttonšŸ‘and share it with others who have similar interests! + Feedback is always appreciated!!šŸ˜Š

--

--

Cyb3r M!nds
Cyb3r M!nds

Written by Cyb3r M!nds

DevSecOps | Freelancer | Cloud Security | Web Pentester | Android & iOS Pentester | API Pentester | Blogger | Learner .

No responses yet