HackTricks CloudAWS - S3, Athena & Glacier Enum
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na ufanye mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Jifunze na ufanye mazoezi ya Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.
S3
Amazon S3 ni huduma inayokuwezesha kuhifadhi kiasi kikubwa cha data.
Amazon S3 hutoa chaguzi mbalimbali za kuhakikisha ulinzi wa data wakati wa REST. Chaguzi ni pamoja na Permission (Policy), Encryption (Client and Server Side), Bucket Versioning na MFA based delete. Mtumiaji anaweza kuwezesha yoyote ya chaguzi hizi ili kupata ulinzi wa data. Data replication ni huduma ya ndani ya AWS ambapo S3 automatically replicates each object across all the Availability Zones na shirika halihitaji kuiwasha katika kesi hii.
Kwa resource-based permissions, unaweza kufafanua ruhusa kwa sub-directories za bucket yako kando.
Bucket Versioning and MFA based delete
Wakati Bucket Versioning imewezeshwa, kitendo chochote kinachojaribu kubadilisha faili ndani ya bucket kitatengeneza toleo jipya la faili hiyo, huku kikihifadhi pia maudhui ya awali. Kwa hivyo, haitaandika juu ya maudhui yake.
Zaidi ya hayo, MFA based delete itazuia toleo za faili katika S3 bucket kufutwa na pia itazuia Bucket Versioning kuzimwa, hivyo mshambuliaji hatoweza kubadilisha faili hizi.
S3 Access logs
Inawezekana kuwezesha S3 access login (ambayo kwa kawaida imezimwa) kwenye bucket fulani na kuhifadhi logs katika bucket tofauti ili kujua nani anayeingiza bucket (buckets zote mbili lazima ziwe katika region moja).
S3 Presigned URLs
Inawezekana kuunda presigned URL ambayo kawaida inaweza kutumika kupata faili iliyotajwa katika bucket. Presigned URL inaonekana hivi:
https://<bucket-name>.s3.us-east-1.amazonaws.com/asd.txt?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAUUE8GZC4S5L3TY3P%2F20230227%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230227T142551Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Security-Token=IQoJb3JpZ2luX2VjELf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJHMEUCIBhQpdETJO3HKKDk2hjNIrPWwBE8gZaQccZFV3kCpPCWAiEAid3ueDtFFU%2FOQfUpvxYTGO%2BHoS4SWDMUrQAE0pIaB40qggMIYBAAGgwzMTgxNDIxMzg1NTMiDJLI5t7gr2EGxG1Y5CrfAioW0foHIQ074y4gvk0c%2B%2Fmqc7cNWb1njQslQkeePHkseJ3owzc%2FCwkgE0EuZTd4mw0aJciA2XIbJRCLPWTb%2FCBKPnIMJ5aBzIiA2ltsiUNQTTUxYmEgXZoJ6rFYgcodnmWW0Et4Xw59UlHnCDB2bLImxPprriyCzDDCD6nLyp3J8pFF1S8h3ZTJE7XguA8joMs4%2B2B1%2FeOZfuxXKyXPYSKQOOSbQiHUQc%2BFnOfwxleRL16prWk1t7TamvHR%2Bt3UgMn5QWzB3p8FgWwpJ6GjHLkYMJZ379tkimL1tJ7o%2BIod%2FMYrS7LDCifP9d%2FuYOhKWGhaakPuJKJh9fl%2B0vGl7kmApXigROxEWon6ms75laXebltsWwKcKuYca%2BUWu4jVJx%2BWUfI4ofoaGiCSaKALTqwu4QNBRT%2BMoK6h%2BQa7gN7JFGg322lkxRY53x27WMbUE4unn5EmI54T4dWt1%2Bg8ljDS%2BvKfBjqmAWRwuqyfwXa5YC3xxttOr3YVvR6%2BaXpzWtvNJQNnb6v0uI3%2BTtTexZkJpLQYqFcgZLQSxsXWSnf988qvASCIUhAzp2UnS1uqy7QjtD5T73zksYN2aesll7rvB80qIuujG6NOdHnRJ2M5%2FKXXNo1Yd15MtzPuSjRoSB9RSMon5jFu31OrQnA9eCUoawxbB0nHqwK8a43CKBZHhA8RoUAJW%2B48EuFsp3U%3D&X-Amz-Signature=3436e4139e84dbcf5e2e6086c0ebc92f4e1e9332b6fda24697bc339acbf2cdfa
Presigned URL inaweza kuundwa kutoka cli kwa kutumia credentials za principal mwenye upatikanaji wa object (ikiwa account unayotumia haina upatikanaji, presigned URL fupi itaundwa lakini haitakuwa na manufaa)
aws s3 presign --region <bucket-region> 's3://<bucket-name>/<file-name>'
Note
Ruhusa pekee inayohitajika kuunda presigned URL ni ile inayotolewa, hivyo kwa amri iliyotangulia ruhusa pekee inayohitajika kwa mhusika ni
s3:GetObject
Pia inawezekana kuunda presigned URLs kwa ruhusa nyingine:
import boto3
url = boto3.client('s3').generate_presigned_url(
ClientMethod='put_object',
Params={'Bucket': 'BUCKET_NAME', 'Key': 'OBJECT_KEY'},
ExpiresIn=3600
)
Mbinu za Usimbaji za S3
DEK inamaanisha Ufunguo wa Usimbaji wa Data na ni funguo inayotengenezwa kila mara na kutumika kusimba data.
Usimbaji upande wa server kwa funguo zinazosimamiwa na S3, SSE-S3
Chaguo hili kinahitaji usanidi mdogo na usimamizi wote wa funguo za usimbaji unafanywa na AWS. Yote unayohitaji ni kupakia data yako na S3 itashughulikia mambo mengine yote. Kila bucket katika akaunti ya S3 hupewa bucket key.
- Usimbaji:
- Object Data + created plaintext DEK –> Encrypted data (stored inside S3)
- Created plaintext DEK + S3 Master Key –> Encrypted DEK (stored inside S3) and plain text is deleted from memory
- Ufafanuzi upya (Decryption):
- Encrypted DEK + S3 Master Key –> Plaintext DEK
- Plaintext DEK + Encrypted data –> Object Data
Tafadhali, kumbuka kwamba katika kesi hii funguo inasimamiwa na AWS (rotation kila takriban miaka 3). Ikiwa utatumia funguo yako mwenyewe utaweza kuzungusha (rotate), kuzima na kutumia udhibiti wa upatikanaji.
Usimbaji upande wa server kwa funguo zinazosimamiwa na KMS, SSE-KMS
Njia hii inaruhusu S3 kutumia key management service ili kuunda data encryption keys zako. KMS inakupa ufanisi mkubwa zaidi jinsi funguo zako zinavyosimamiwa. Kwa mfano, unaweza kuzizima, kuzizungusha (rotate), na kutumia udhibiti wa upatikanaji kwa CMK, na kuagiza dhidi ya matumizi yao kwa kutumia AWS Cloud Trail.
- Usimbaji:
- S3 request data keys from KMS CMK
- KMS uses a CMK to generate the pair DEK plaintext and DEK encrypted and send them to S£
- S3 uses the paintext key to encrypt the data, store the encrypted data and the encrypted key and deletes from memory the plain text key
- Ufafanuzi upya (Decryption):
- S3 ask to KMS to decrypt the encrypted data key of the object
- KMS decrypt the data key with the CMK and send it back to S3
- S3 decrypts the object data
Usimbaji upande wa server kwa funguo zinazotolewa na mteja, SSE-C
Chaguo hili linakupa fursa ya kutoa funguo yako mwenyewe ya master ambayo huenda tayari unaitumia nje ya AWS. Ufunguo uliotolewa na mteja utaambatishwa pamoja na data yako kwenda S3, ambapo S3 itafanya usimbaji kwa niaba yako.
- Usimbaji:
- The user sends the object data + Customer key to S3
- The customer key is used to encrypt the data and the encrypted data is stored
- a salted HMAC value of the customer key is stored also for future key validation
- the customer key is deleted from memory
- Ufafanuzi upya (Decryption):
- The user send the customer key
- The key is validated against the HMAC value stored
- The customer provided key is then used to decrypt the data
Usimbaji upande wa mteja kwa kutumia KMS, CSE-KMS
Kwa utofauti na SSE-KMS, hii pia inatumia key management service kuunda data encryption keys zako. Hata hivyo, wakati huu KMS inalengwa kupitia client sio S3. Usimbaji unafanyika upande wa client na data iliyosimbwa kisha inatumwa kwenda S3 kuhifadhiwa.
- Usimbaji:
- Client request for a data key to KMS
- KMS returns the plaintext DEK and the encrypted DEK with the CMK
- Both keys are sent back
- The client then encrypts the data with the plaintext DEK and send to S3 the encrypted data + the encrypted DEK (which is saved as metadata of the encrypted data inside S3)
- Ufafanuzi upya (Decryption):
- The encrypted data with the encrypted DEK is sent to the client
- The client asks KMS to decrypt the encrypted key using the CMK and KMS sends back the plaintext DEK
- The client can now decrypt the encrypted data
Usimbaji upande wa mteja kwa funguo zinazotolewa na mteja, CSE-C
Kwa kutumia mbinu hii, unaweza kutumia funguo zako mwenyewe uliyozitoa na kutumia AWS-SDK client kusimba data yako kabla ya kuituma S3 kwa ajili ya uhifadhi.
- Usimbaji:
- The client generates a DEK and encrypts the plaintext data
- Then, using it’s own custom CMK it encrypts the DEK
- submit the encrypted data + encrypted DEK to S3 where it’s stored
- Ufafanuzi upya (Decryption):
- S3 sends the encrypted data and DEK
- As the client already has the CMK used to encrypt the DEK, it decrypts the DEK and then uses the plaintext DEK to decrypt the data
Enumeration
Moja ya njia kuu za jadi za kuingia kwa nguvu kwenye mashirika ya AWS huanza kwa kushambulia buckets zinazopatikana hadharani. Unaweza kupata orodhesha buckets za umma kwenye ukurasa huu.
# Get buckets ACLs
aws s3api get-bucket-acl --bucket <bucket-name>
aws s3api get-object-acl --bucket <bucket-name> --key flag
# Get policy
aws s3api get-bucket-policy --bucket <bucket-name>
aws s3api get-bucket-policy-status --bucket <bucket-name> #if it's public
# list S3 buckets associated with a profile
aws s3 ls
aws s3api list-buckets
# list content of bucket (no creds)
aws s3 ls s3://bucket-name --no-sign-request
aws s3 ls s3://bucket-name --recursive --no-sign-request
# list content of bucket (with creds)
aws s3 ls s3://bucket-name
aws s3api list-objects-v2 --bucket <bucket-name>
aws s3api list-objects --bucket <bucket-name>
aws s3api list-object-versions --bucket <bucket-name>
# copy local folder to S3
aws s3 cp MyFolder s3://bucket-name --recursive
# delete
aws s3 rb s3://bucket-name –-force
# download a whole S3 bucket
aws s3 sync s3://<bucket>/ .
# move S3 bucket to different location
aws s3 sync s3://oldbucket s3://newbucket --source-region us-west-1
# list the sizes of an S3 bucket and its contents
aws s3api list-objects --bucket BUCKETNAME --output json --query "[sum(Contents[].Size), length(Contents[])]"
# Update Bucket policy
aws s3api put-bucket-policy --policy file:///root/policy.json --bucket <bucket-name>
##JSON policy example
{
"Id": "Policy1568185116930",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1568184932403",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome",
"Principal": "*"
},
{
"Sid": "Stmt1568185007451",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::welcome/*",
"Principal": "*"
}
]
}
# Update bucket ACL
aws s3api get-bucket-acl --bucket <bucket-name> # Way 1 to get the ACL
aws s3api put-bucket-acl --bucket <bucket-name> --access-control-policy file://acl.json
aws s3api get-object-acl --bucket <bucket-name> --key flag #Way 2 to get the ACL
aws s3api put-object-acl --bucket <bucket-name> --key flag --access-control-policy file://objacl.json
##JSON ACL example
## Make sure to modify the Owner’s displayName and ID according to the Object ACL you retrieved.
{
"Owner": {
"DisplayName": "<DisplayName>",
"ID": "<ID>"
},
"Grants": [
{
"Grantee": {
"Type": "Group",
"URI": "http://acs.amazonaws.com/groups/global/AuthenticatedUsers"
},
"Permission": "FULL_CONTROL"
}
]
}
## An ACL should give you the permission WRITE_ACP to be able to put a new ACL
dual-stack
Unaweza kufikia S3 bucket kupitia dual-stack endpoint kwa kutumia virtual hosted-style au path-style endpoint name. Hizi ni muhimu kufikia S3 kupitia IPv6.
Dual-stack endpoints zinatumia sintaksifu ifuatayo:
bucketname.s3.dualstack.aws-region.amazonaws.coms3.dualstack.aws-region.amazonaws.com/bucketname
Privesc
In the following page you can check how to abuse S3 permissions to escalate privileges:
Unauthenticated Access
S3 Post Exploitation
Persistence
Other S3 vulns
S3 HTTP Cache Poisoning Issue
According to this research ilikuwa inawezekana kuweka cache ya jibu la bucket yoyote kama ilivyokuwa ya bucket tofauti. Hii ingelitumika kubadilisha, kwa mfano, majibu ya faili za javascript na compromise kurasa zozote zinazotumia S3 kuhifadhi static code.
Amazon Athena
Amazon Athena ni interactive query service inayofanya iwe rahisi kuanalyze data moja kwa moja katika Amazon Simple Storage Service (Amazon S3) using standard SQL.
Unahitaji kuprepare a relational DB table yenye muundo wa maudhui yatakayojitokeza katika monitored S3 buckets. Kisha, Amazon Athena itaweza kujaza DB kutoka kwa logs, ili uweze kuiquery.
Amazon Athena inasaidia uwezo wa query S3 data that is already encrypted na ikiwa imeconfigured kufanya hivyo, Athena can also encrypt the results of the query which can then be stored in S3.
This encryption of results is independent of the underlying queried S3 data, ikimaanisha kwamba hata kama S3 data haijasimbwa, matokeo yaliyoulizwa yanaweza kusimbwa. Pointi kadhaa za kuzingatia ni kwamba Amazon Athena inasaidia data iliyokuwa encrypted kwa mbinu zifuatazo za encryption za S3, SSE-S3, SSE-KMS, and CSE-KMS.
SSE-C and CSE-C hazitumiwi. Zaidi ya hayo, ni muhimu kuelewa kwamba Amazon Athena itafanya queries dhidi ya encrypted objects that are in the same region as the query itself. Ikiwa unahitaji kufanya query kwenye S3 data iliyosimbwa kwa kutumia KMS, basi ruhusa maalum zinahitajika kwa mtumiaji wa Athena ili kumuwezesha kutekeleza query.
Enumeration
# Get catalogs
aws athena list-data-catalogs
# Get databases inside catalog
aws athena list-databases --catalog-name <catalog-name>
aws athena list-table-metadata --catalog-name <catalog-name> --database-name <db-name>
# Get query executions, queries and results
aws athena list-query-executions
aws athena get-query-execution --query-execution-id <id> # Get query and meta of results
aws athena get-query-results --query-execution-id <id> # This will rerun the query and get the results
# Get workgroups & Prepared statements
aws athena list-work-groups
aws athena list-prepared-statements --work-group <wg-name>
aws athena get-prepared-statement --statement-name <name> --work-group <wg-name>
# Run query
aws athena start-query-execution --query-string <query>
Marejeo
- https://cloudsecdocs.com/aws/defensive/tooling/cli/#s3
- https://docs.aws.amazon.com/AmazonS3/latest/userguide/dual-stack-endpoints.html
Tip
Jifunze na ufanye mazoezi ya AWS Hacking:
Jifunze na ufanye mazoezi ya GCP Hacking:
Jifunze na ufanye mazoezi ya Az Hacking:Saidia HackTricks
- Angalia the subscription plans!
- Jiunge na 💬 Discord group au the telegram group au utufuate kwenye Twitter 🐦 @hacktricks_live.
- Shiriki hacking tricks kwa kutuma PRs kwa HackTricks and HackTricks Cloud github repos.