Playing With s3 — Leaks

Hi Everyone,

My name is Aswin Thambi Panikulangara(R0074G3N7). In this writeup, I will be sharing my technique of enumerating s3 buckets, finding misconfigurations, and recent bug i found in a public program(P1).

Tools : Subfinder, Ffuf, waybackurls

*.redacted.com is in scope. As usual, I started with subdomain enumeration, for subdomain enumeration I mostly use sublister.

subfinder -d redacted.com > subdomains.txt

Now I used Ffuf for Fuzzing and enumerating s3 buckets.

ffuf -u http://FUZZ.s3.amazonaws.com -w subdomains.txt

After fuzzing got 5 buckets. Four of them were denied access and one was open.

Bucket was like : sub.redacted.com.s3.amazonaws.com

So I need to confirm this bucket belongs to redacted.com. I used waybackurls this time.

cat subdomains.txt | waybackurls | grep s3.amazonaws

waybackurls disclosing s3 buckets.

After seeing this just tried to list the bucket.

aws s3 ls s3://sub.redacted.com

Bucket listed successfully!!!

It was leaking tons of private pictures of users where anyone can access it publically.

Again I tried to mv, cp files into the bucket but failed. So reported this directly to the company.

2021 july 29 reported.

2021 july 29 triaged as critical, fixed.

2021 july 30 listed in HOF page.

2021 july 30 rewarded with Swags.

THANKS.