added details
This commit is contained in:
parent
ac79ddaae5
commit
1ce5afd912
|
@ -531,6 +531,11 @@ default.
|
||||||
1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
|
1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
|
||||||
2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
|
2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
|
||||||
|
|
||||||
|
Every bucket that was created before November 2018 has a default public access
|
||||||
|
permissions. Since November 2018 public access is blocked by default.
|
||||||
|
|
||||||
|
A typical attack includes modifying files on a bucket another service is using.
|
||||||
|
|
||||||
#### S3 Policies
|
#### S3 Policies
|
||||||
|
|
||||||
Useful permissions to an attack, set through a policy, are `s3:GetObject` and `s3:PutObject`.
|
Useful permissions to an attack, set through a policy, are `s3:GetObject` and `s3:PutObject`.
|
||||||
|
@ -592,6 +597,13 @@ or
|
||||||
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
|
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
|
||||||
```
|
```
|
||||||
|
|
||||||
|
#### Check Read Permissions of a bucket
|
||||||
|
|
||||||
|
Use the aws cli to store data from a bucket locally.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aws s3 sync --no-sign-request s3://<bucket-name> .
|
||||||
|
|
||||||
#### Check Permissions of a bucket
|
#### Check Permissions of a bucket
|
||||||
|
|
||||||
Use a `PUT` method to see if the bucket may be writeable to upload a file via
|
Use a `PUT` method to see if the bucket may be writeable to upload a file via
|
||||||
|
@ -658,7 +670,6 @@ the resources behind the IP addresses.
|
||||||
```sh
|
```sh
|
||||||
drill assets.example.com
|
drill assets.example.com
|
||||||
drill <$IP_ADDRESS> -x
|
drill <$IP_ADDRESS> -x
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
How to find a potentially interesting CloudFront assets domain
|
How to find a potentially interesting CloudFront assets domain
|
||||||
|
@ -667,3 +678,47 @@ How to find a potentially interesting CloudFront assets domain
|
||||||
* Do some dorking with a search engine to list the content of a bucket behind an S3 subdomian
|
* Do some dorking with a search engine to list the content of a bucket behind an S3 subdomian
|
||||||
* Spider a website via wget or [Linkfinder](https://github.com/GerbenJavado/LinkFinder)
|
* Spider a website via wget or [Linkfinder](https://github.com/GerbenJavado/LinkFinder)
|
||||||
* Search for certificate details
|
* Search for certificate details
|
||||||
|
|
||||||
|
### EC2
|
||||||
|
|
||||||
|
Virtual machine service.
|
||||||
|
|
||||||
|
### Restore an Amazon Machine Image
|
||||||
|
|
||||||
|
An EC2 VM can be created from an Amazon Machine Image,
|
||||||
|
that can be found in some S3 buckets.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aws ec2 create-restore-image-task --object-key <AmiImageNameInsideTheBucket> --bucket <bucketname> --name <nameForEC2>
|
||||||
|
```
|
||||||
|
|
||||||
|
An `ImageId` will be returned. This `imageId` is needed to create the image later.
|
||||||
|
|
||||||
|
Create a keypair to connect to the created VM via SSH. the keypair is set for
|
||||||
|
EC2 instances by aws cli automatically.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aws ec2 create-key-pair --key-name <key-name> --query "KeyMaterial" --output text > ./mykeys.pem
|
||||||
|
```
|
||||||
|
|
||||||
|
A subnet for the the creation of the ec2 is needed, pick one via aws cli.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aws ec2 describe-subnets
|
||||||
|
```
|
||||||
|
|
||||||
|
Further, a security group with SSH access is needed
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aws ec2 describe-security-groups
|
||||||
|
```
|
||||||
|
|
||||||
|
Create an image including the found information
|
||||||
|
|
||||||
|
```sh
|
||||||
|
aws ec2 run-instances --image-id <ImageIdOfGeneratedAMI> --instance-type t3a.micro --key-name <keyname> --subnet-id <subnetId> --security-group-id <securityGroupId>
|
||||||
|
```
|
||||||
|
|
||||||
|
Take a look at the EC2 dashboard inside the webconsole to see the IP address of the created EC2 instance. Connect to the VM via SSH, using the generated keypair.
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue