-
Notifications
You must be signed in to change notification settings - Fork 259
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d9597eb
commit 5509686
Showing
1 changed file
with
39 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -167,6 +167,45 @@ s3-account-search arn:aws:iam::123456789012:role/s3_read s3://my-bucket/path/to/ | |
|
|
||
| This technique also works with API Gateway URLs, Lambda URLs, Data Exchange data sets and even to get the value of tags (if you know the tag key). You can find more information in the [**original research**](https://blog.plerion.com/conditional-love-for-aws-metadata-enumeration/) and the tool [**conditional-love**](https://github.com/plerionhq/conditional-love/) to automate this exploitation. | ||
|
|
||
| ### Confirming a bucket belongs to an AWS account | ||
|
|
||
| As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/)**, if you have permissions to list a bucket** it’s possible to confirm an accountID the bucket belongs to by sending a request like: | ||
|
|
||
| ```bash | ||
| curl -X GET "[bucketname].amazonaws.com/" \ | ||
| -H "x-amz-expected-bucket-owner: [correct-account-id]" | ||
|
|
||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/">...</ListBucketResult> | ||
| ``` | ||
|
|
||
| If the error is an “Access Denied” it means that the account ID was wrong. | ||
|
|
||
| ### Used Emails as root account enumeration | ||
|
|
||
| As explained in [**this blog post**](https://blog.plerion.com/things-you-wish-you-didnt-need-to-know-about-s3/), it's possible to check if an email address is related to any AWS account by **trying to grant an email permissions** over a S3 bucket via ACLs. If this doesn't trigger an error, it means that the email is a root user of some AWS account: | ||
|
|
||
| ```python | ||
| s3_client.put_bucket_acl( | ||
| Bucket=bucket_name, | ||
| AccessControlPolicy={ | ||
| 'Grants': [ | ||
| { | ||
| 'Grantee': { | ||
| 'EmailAddress': '[email protected]', | ||
| 'Type': 'AmazonCustomerByEmail', | ||
| }, | ||
| 'Permission': 'READ' | ||
| }, | ||
| ], | ||
| 'Owner': { | ||
| 'DisplayName': 'Whatever', | ||
| 'ID': 'c3d78ab5093a9ab8a5184de715d409c2ab5a0e2da66f08c2f6cc5c0bdeadbeef' | ||
| } | ||
| } | ||
| ) | ||
| ``` | ||
|
|
||
| ## References | ||
|
|
||
| * [https://www.youtube.com/watch?v=8ZXRw4Ry3mQ](https://www.youtube.com/watch?v=8ZXRw4Ry3mQ) | ||
|
|
||