Playing With S3 Part 2

-

     S3 Bucket Enumeration Via Response
 

Hi Hackers,

In this article, I will be talking about one of my recent find on a program triaged as critical.Target "redacted.com" was a large scope and was using amazon web services.

You can find previous article on s3 bucket enumeration here

 

After enumerating subdomains using subfinder, I randomly visited all subdomains and my burpsuite was running in background. After sometime i just visited my burpsuite's HTTP history tab where i can list of all of the requests that i have made and the responses received.

 

Here i went to BURP tab > search and searched keyword 

 

"amazonaws.com" 



Here you can see one of the s3 bucket using by redacted.com was leaking in response.

Just copied this URL and paste it in browser.

 

Eg: http://bucket.s3.amazonaws.com/attachment.jpg

 

The s3 bucket was Open to public and was leaking user attachments, bills, identity cards, etc..

Now i need to check for another privileges like uploading a file / removing a file.

But access was denied.


So i directly reported to the company 

Triaged as critical.

Rewarded $$$$$ INR. (Indian rupees).

 

Follow me on twitter: https://twitter.com/r0074g3n7

You Can Buy Me A Coffee via : https://www.buymeacoffee.com/error4004


 


 


Comments

Post a Comment

Popular posts from this blog

Playing With s3 Leaks

-
Image
Hi Everyone, My name is Aswin Thambi Panikulangara (R0074G3N7). In this writeup, I will be sharing my technique of enumerating s3 buckets, finding misconfigurations, and recent bug I found in a public program(P1). Tools :  Subfinder ,  Ffuf ,  waybackurls *.redacted.com is in scope. As usual, I started with subdomain enumeration, for subdomain enumeration I usually use  subfinder. subfinder -d redacted.com > subdomains.txt Now I used f fuf  for Fuzzing and enumerating s3 buckets. ffuf -u  http://FUZZ.s3.amazonaws.com  -w subdomains.txt After fuzzing got 5 buckets. Four of them were denied access and one was open. Bucket was like  : sub.redacted.com.s3.amazonaws.com So I need to confirm this bucket belongs to redacted.com. I used waybackurls this time. cat subdomains.txt | waybackurls | grep s3.amazonaws After seeing this just tried to list the bucket. aws s3 ls s3://sub.redacted.com Bucket listed successfully!!! It was leaking tons of private pictures of users where anyone can acces
Read more

Hunting on memcached servers: Dumping data

-
Image
What is a Memcached server? Memcached servers are used to store and retrieve data in the form of key-value pairs. When client requests for data from server, its checks for the data stored in the cache. If the data is available, it is loaded into the memory. If the data is not present, the server fetches it from the backend storage and stores it in its cache for future requests. So, it is used to speedup the web application by reducing the database load. LETS DISCUSS! Today we will be discussing on my recent bounty i got for key dumping from an open memcached server. I got an ip from censys search which is targets ip. So as an initial recon i used nmap for scanning the ip. nmap IPADDRESS -Pn from initial scan i was able to find a port 11211 which is Memcached!! So i started pentesting on the server to retrieve data if it has no authentication. For confirmation i tried to connect the Memcached server via Telnet. telnet IPADDRESS 11211 Wow! I was able to connect to the server without a
Read more