S3 leaking the data Call the plumber

Hello Infosec people,

So What is S3 Bucket

S3 bucket is a service offered by Aws for storing data like images ,video.

And also we can host a static web page on s3 bucket. Meaning of s3 is simple Storage service .

Nowadays, every company on cloud uses S3 to store the data of a customer. If developers make mistakes in IAM Roles; it will be a disaster.

IAM roles in Aws — Identity and Access Management. By setting iam roles we can

Set permissions and decide who can add, delete, access the data.

Se developers need to set it very carefully.

Let See from Hacker perspective, how one can find buckets and exploit it.

So, I am hunting on private program on hackerone, (I can’t disclose the name as per policy). We can call it taryet.com. First I enumerated all subdomains using Subfinder ,which is made in Go by Project Discovery Team; they are legends.

Okay back to the Topic, after enumerating Subdoamins I checked every subdomain

Manually, clicked every button and link on page.

There is Extension on firefox S3 Bucket List

Every request which you made from your bowser this extension capture and

Check if it going to S3 or not if S3 service deleted it saves the name in list

And you can check permission itself there But i prefer the manual method

And you should be Dont be lazy.

After many clicks and checking function i got a bucket name.

I fired my terminal. Before going to the exploit part you have to configure the

Aws keys in computer

Sudo apt-get install aws-cli or pip3 install awscli

$ aws configure

AWS Access Key ID: MYACCESSKEY

AWS Secret Access Key: MYSECRETKEY

Default region name [us-west-2]: us-west-2

Default output format [None]: json

You will get this keys on aws console iam settings

Exploitation Part

So Bucket name looks like this

https://bucket_name.s3.amozoneaws.com

First check the if we can upload and delete any file in bucket

Start your terminal and try this command

aws s3 cp payload.txt s3://bucket_name #adding malicious file

aws s3 mv data.txt s3://bucket_name # delete the file from bucket

In my case both both are secured

After that i check every folder on bucket by listing

Aws s3 ls s3://bucket_name/folder_name

My reaction was oh my God so much data!

I download every sensitive data it contains. For POC

Aws s3 cp s3://bucker_name/folder/file.txt ./ # to download a file

Yay , i was awarded 100$

I know its to low for high severity bug what can you except from Indian Company

Happy Hacking,