An issue seen in a number of S3/AWS configs is the “Any Authenticated AWS User” permission. It allows access not just to AWS users authenticated to your account but to any authenticated AWS users period.
That means that any joe-schmoe with a free-tier account can now access your S3/AWS resources.
When visiting the challenge page, you are introduced to FileBulker: it reads a file for line separated filenames, and concatenates/outputs their contents to the page.
|I don't read elvish so I've no idea what it says.|
Navigating to the example.txt file directly in burp shows that the filessubdomain points to an Amazon S3 bucket. Additionally, it shows the files from which the example text was read (files/loremipsum, hackers_subtitle).
|Note the server, as well as the x-amz-* items|
Using awscli, I tried to determine what I had access to. Turns out I was able to write files directly to the s3 bucket, but could not list directories or download most files. Initially I thought I would have to upload some php and get RCE, but when we look at filer.sect.ctf.rocks/files we can already see what I need to read.
If we create a file called testspork.txt containing the line files/flag.php and add it to the s3 bucket using the command:
aws s3 mv testspork.txt s3://files.filer.sect.ctf.rocks --acl public-read
Navigating to http://filer.sect.ctf.rocks/?bulkfile=http://files.filer.sect.ctf.rocks/testspork.txt gives us our flag:
|Everything's safer in the cloud.|
This challenge was a lot of fun, especially since this issue had been in the back of my head for a while. Thanks again to @SEC_T_org, and Mathias Karlsson for putting it together.
Furthermore, anyone looking for more information on these kinds of vulnerabilities should checkout the links below, as well as Examples 5/6 in Section 9 of Peter Y’s awesome book Web Hacking 101, as well as his video below.