.png)
1 month ago
27 BOOK THIS SPACE FOR AD
ARTICLE AD
Greetings, fellow cybersecurity enthusiasts!
I’m Jai, aka Hadoc. I’m back with another interesting story!.In this blog post, I’ll explain how I discovered a valid bug on YesWeHack using reconnaissance techniques.
“Success hits different when nobody believed in you!
You believe yourself and keep working!”
A year ago, when I opened my YesWeHack account and completed the KYC process, it was quite a hassle. YesWeHack seemed like a big headache, and eventually, I forgot all about it. However, one day, out of the blue, I received an email notification from YesWeHack. Intrigued, I opened the email and discovered a private invitation for participation in their bug bounty program.
Understanding S3 Buckets
let’s familiarize ourselves with S3 buckets. An Amazon S3 bucket serves as a public cloud storage resource within the Amazon Web Services (AWS) ecosystem. It offers object-based storage, where data is stored in distinct units called objects, providing a flexible and scalable storage solution.
Initial Phase: To kickstart my reconnaissance efforts, I relied on a powerful tool called CloudEnum. This tool is specifically designed for Enumerate public resources in AWS, Azure, and Google Cloud.
You can find CloudEnum on GitHub at the following link:
https://github.com/initstring/cloud_enum
Usage: Using CloudEnum is straightforward. Simply execute the following command in your terminal:
python3 cloud_enum.py -k redacted -k redacted.comThis command instructs CloudEnum to search for S3 buckets associated with the specified keywords, “redacted” and “redacted.com”. By leveraging CloudEnum’s capabilities, I was able to efficiently identify potential S3 buckets linked to my target domain, facilitating further reconnaissance.
Bucket found
redacted.com.s3.amazonaws.com
I took a visit to the bucket in my browser and found that it was indeed an open bucket. Then, I proceeded to check the bucket’s read and write access using aws cli tool.
Note: Sometimes S3 buckets are not accessible in browsers but we can check the buckets in another way “aws-cli”
Install the AWS CLI on your system if you haven’t already. You can find installation instructions on the AWS documentation website or through your package manager.
Once installed, open your terminal or command prompt.
Type the following command and press Enter:
aws configure
You will be prompted to enter your AWS Access Key ID and Secret Access Key. You can obtain these credentials by creating an account on the AWS website and generating IAM (Identity and Access Management) user credentials with appropriate permissions.
After entering your Access Key ID and Secret Access Key, you will be prompted to specify an AWS region and output format. You can choose your preferred region and output format.
Once you’ve completed these steps, your AWS CLI will be configured, and you’ll be able to use AWS services, including checking S3 bucket permissions, directly from your terminal.
There are many commands available for aws-cli, but we mostly use only four commands.
Commands :
For viewing the objects in a bucket : aws s3 ls s3://bucketnameFor writing an object in a bucket : aws s3 cp file s3://bucketnameFor removing an objects from a bucket : aws s3 rm s3://bucketname/fileFor downloading an objects from a bucket : aws s3 sync s3://bucketnameJust started checking for writing an object into the bucket:
aws s3 cp bucket.svg s3://bucketnameFile uploaded successfully.
Then I tried removing an object from the bucket:
aws s3 rm s3://bucketname/fileAccess denied.
Subsequently, I visited the bucket to view my uploaded file, but encountered the message “Access Denied” once again. And yes, I truly despise this phrase.
After reading the AWS documentation, I learned that it’s possible to change the policy of a vulnerable bucket. So, I proceeded to use the following command to change the policy of my target to public.
Final Command :
aws s3 cp bucket.svg s3://bucketname - acl public-readAfter I entered this command I can able to view my uploaded file publicly
Booom,
After initiating the report and promptly submitting it to confirm the security issue, I received confirmation of the vulnerability within just two days. Subsequently, I was awarded the bounty.
Impact:
A poorly configured Amazon S3 bucket can have significant consequences, including data corruption, malware distribution, and even ransomware attacks. Attackers can exploit vulnerabilities using the AWS CLI to execute unauthorized actions and inject malicious code into files. Uploading such files to your bucket can result in severe impacts on your system and data integrity.
Stay tuned for next blog,
Follow me 😁
Bengali (Bangladesh) · 
English (United States) ·