S3 Bucket mis-configuration an easy way to find it!!!!

Recently I have been doing my hunting on responsible disclosure programs. Some program have bugs which are easy to find but some are hard so here is the starting of my hunting I found a good program which had so much juicy things to find the bug For finding responsible disclosure by Google Dorking I used:

inurl:responsible disclosure reward

There are some other ways to find this but I mainly used this The program was lets say “redacted.com” I didn’t found anything like sub-domian takeover or any low hanging bugs.I am noob so I really dont know how to find a critical bugs But I read some reports an articles on S3 bucket so there are many tools to find s3 bucket

This are some tools but I personally use lazys3

So lets start the hunting:-

  1. Finding the s3 bucket

2. This will give you the bucket as well as a response to it

As you can see the bucket name and the response of 200 this means this bucket can be taken over there can be other responses such as 404,etc

After you find the bucket just used the name which is displayed on the terminal followed by s3.amazonaws.com

it means “redacted.s3.amazonaws.com” which will give you a out which is shown below

3. If the website has the property of “Static website hosting”, it provides us the access to static HTML pages via a url given below

http://[bucketname].s3-website-[region].amazonaws.com/

4. To interact with the s3 bucket that means to add or delete the the contents in it you can use a tool known as awscli

5. For installation just follow the steps :

After installing this to confirm that the tool is successfully installed you can use

6. After doing this you should make a aws account For this you should sign-up here

7. Getting the access-key

After signing in go to https://console.aws.amazon.com/iam/ And go to user

You will see the above image

Add a new user to it :

Now download the CSV file and you will get the keys which will open in Microsoft-Excel

8. Configure your aws

For that go to your terminal and type

Note: In this Default region name and Default output format can be kept to empty if you want

Now you are all set and good to go

9. Seeing the contents of s3 bucket

If you get this error don’t worry you should run this command

This will give you the contents in the s3 bucket

Now there are few operation which can be perform on this I didn’t do it as it was harming the website so i just gave them this screenshot

I will list some of the command which can be use to delete or move the contents of the s3 bucket :-

Read File: aws s3 ls s3://[bucketname] --no-sign-request

Move File: aws s3 mv yourfile s3://[bucketname]/test-file.txt --no-sign-request
Copy Files : aws s3 cp yourfile s3://[bucketname]/test-file.svg --no-sign-requestDelete Files : aws s3 rm s3://[bucketname]/test-file.svg --no-sign-request

So here is the end of hunting hope you will understand what i have mentioned you can dm me on my social media account

https://twitter.com/noobie_07