added details
This commit is contained in:
parent
ac79ddaae5
commit
1ce5afd912
|
|
@ -531,6 +531,11 @@ default.
|
|||
1. [Bucket policies](https://docs.aws.amazon.com/AmazonS3/latest/userguide/bucket-policies.html)
|
||||
2. [S3 ACL](https://docs.aws.amazon.com/AmazonS3/latest/userguide/managing-acls.html)
|
||||
|
||||
Every bucket that was created before November 2018 has a default public access
|
||||
permissions. Since November 2018 public access is blocked by default.
|
||||
|
||||
A typical attack includes modifying files on a bucket another service is using.
|
||||
|
||||
#### S3 Policies
|
||||
|
||||
Useful permissions to an attack, set through a policy, are `s3:GetObject` and `s3:PutObject`.
|
||||
|
|
@ -592,6 +597,13 @@ or
|
|||
http://s3.amazonaws.com/BUCKETNAME/FILENAME.ext
|
||||
```
|
||||
|
||||
#### Check Read Permissions of a bucket
|
||||
|
||||
Use the aws cli to store data from a bucket locally.
|
||||
|
||||
```sh
|
||||
aws s3 sync --no-sign-request s3://<bucket-name> .
|
||||
|
||||
#### Check Permissions of a bucket
|
||||
|
||||
Use a `PUT` method to see if the bucket may be writeable to upload a file via
|
||||
|
|
@ -658,7 +670,6 @@ the resources behind the IP addresses.
|
|||
```sh
|
||||
drill assets.example.com
|
||||
drill <$IP_ADDRESS> -x
|
||||
|
||||
```
|
||||
|
||||
How to find a potentially interesting CloudFront assets domain
|
||||
|
|
@ -667,3 +678,47 @@ How to find a potentially interesting CloudFront assets domain
|
|||
* Do some dorking with a search engine to list the content of a bucket behind an S3 subdomian
|
||||
* Spider a website via wget or [Linkfinder](https://github.com/GerbenJavado/LinkFinder)
|
||||
* Search for certificate details
|
||||
|
||||
### EC2
|
||||
|
||||
Virtual machine service.
|
||||
|
||||
### Restore an Amazon Machine Image
|
||||
|
||||
An EC2 VM can be created from an Amazon Machine Image,
|
||||
that can be found in some S3 buckets.
|
||||
|
||||
```sh
|
||||
aws ec2 create-restore-image-task --object-key <AmiImageNameInsideTheBucket> --bucket <bucketname> --name <nameForEC2>
|
||||
```
|
||||
|
||||
An `ImageId` will be returned. This `imageId` is needed to create the image later.
|
||||
|
||||
Create a keypair to connect to the created VM via SSH. the keypair is set for
|
||||
EC2 instances by aws cli automatically.
|
||||
|
||||
```sh
|
||||
aws ec2 create-key-pair --key-name <key-name> --query "KeyMaterial" --output text > ./mykeys.pem
|
||||
```
|
||||
|
||||
A subnet for the the creation of the ec2 is needed, pick one via aws cli.
|
||||
|
||||
```sh
|
||||
aws ec2 describe-subnets
|
||||
```
|
||||
|
||||
Further, a security group with SSH access is needed
|
||||
|
||||
```sh
|
||||
aws ec2 describe-security-groups
|
||||
```
|
||||
|
||||
Create an image including the found information
|
||||
|
||||
```sh
|
||||
aws ec2 run-instances --image-id <ImageIdOfGeneratedAMI> --instance-type t3a.micro --key-name <keyname> --subnet-id <subnetId> --security-group-id <securityGroupId>
|
||||
```
|
||||
|
||||
Take a look at the EC2 dashboard inside the webconsole to see the IP address of the created EC2 instance. Connect to the VM via SSH, using the generated keypair.
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue