Discovery#

So if you find a url like

https://s3.amazonaws.com/domain.name

Probe#

You can try probing using aws cli. First, you need to install it

sudo apt install awscli

Then, try probing to see if you can have access to the bucket

aws s3 ls s3://domain.name --no-sign-request

aws s3 ls s3://domain.name --no-sign-request --recursive

Public bucket#

Finally, if you have access, then you can just simply grab any file you like

aws s3 cp s3://domain.name/folder/file.zip ./ --no-sign-request

Private bucket#

First, you need a valid credential for accessing the bucket. Otherwise this won’t work

accessKey = "asdasdasd"
secretKey = "asdasdasdasdasd"

Next, we need to know the region where this bucket is deployed in. If you don’t have info on this, then we can look for x-amz-bucket-region header in the response

$ curl -I https://s3.amazonaws.com/domain.name

HTTP/1.1 403 Forbidden
x-amz-bucket-region: us-west-3
<...>

After that, configure awscli, input the accessKey and secretKey

$ aws configure

AWS Access Key ID [None]: asdasdasd
AWS Secret Access Key [None]: asdasdasdasdasd
Default region name [None]: us-west-3
Default output format [None]:

Confirming your identity

aws sts get-caller-identity

Then, you can list files

aws s3 ls s3://domain.name --no-sign-request

aws s3 ls s3://domain.name --no-sign-request --recursive

Grab files

aws s3 cp s3://domain.name/folder/file.zip ./ --no-sign-request
Backward LFI - Local File Inclusion SSRF - Server Side Request Forgery Forward