Misconfigured s3 bucket leads to Sensitive Data exposure(No super controls )

Image for post
Image for post

Amazon S3 (Simple Storage Service) is one of the popular and widely used storage services. Many companies are using S3 buckets to store their assets such as user profile pictures, static resources, and anything as per their business logic and needs. However, if the buckets are not configured properly, or are unclaimed, an attacker can probably perform some mischievous actions such as S3 Bucket Takeover or S3 Content Takeover.

Hi Fellow Hackers this is Deepak Dhiman from India.In this article, I will be talking about one of the recent encounters where a misconfigured S3 Bucket that disclose the old server code with auth file users.htpasswd.

You can read more about Amazon S3 here.

The application I was testing had a medium scope. The finding is related to one of the subsidiaries of the program. Let’s call the subsidiary “target.com”.

I started with subdomain enumeration and resolving unique subdomains with the following command:

“Subfinder -d target.com | httpx | tee -a alive.txt”

So I get all the alive subdomains.

So I put every single alive domain in browser let call it site.com.

https://site.com so after this I put /%C0

say: https://site.com/%C0

And I notice that it give me an cloudflare error like this,.

<Error>
<Code>InvalidURI</Code>
<Message>Couldn’t parse the specified URI.</Message>
<URI>/%C0</URI>

So I just append the target domain with .s3.amazonaws.com .

https;//target.com.s3.amazonaws.com/

And I get the bucket name. Some time it says no such bucket. So in that case what I do I just run dig on that.

$ dig site.com

So it gives CNAME of pointed domain.

So I am thinking what to do with this. So I read this article.

But unluckily on CRUD operation I get access denied.

So here comes my CTF skills in role. That first check what I can do so I just run this.

aws s3 ls s3://target-bucketname

And in response I have found

PRE Server/

And after checking this I found server.js and users.httpasswd . So I am able to read their old server code(env one) and with auth users.httpasswd.

Program: RDP

Bounty: 400$

Follow me on

https://twitter.com/Virdoex_hunter

Thank you ,

Hope you like this(Sorry for bad english).

Written by

I am a bug hunter ,son,brother and a helper.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store