aws
aws-cli is Amazon’s official command-line tool for interacting with AWS services. Unlike most automation tools, it can resolve both S3 API and website endpoints, allowing object enumeration in scenarios where API listing is blocked but website listings are exposed.
Usage
$ aws configure --profile cloudgoat
AWS Access Key ID [None]: AKIAVUZR3DVG2LOEV4S2
AWS Secret Access Key [None]: Ew...<REDACTED>...zn
Default region name [None]: us-east-1
Default output format [None]: json
# If output opens within a pager, add this to the ~/.zhrc
$ export AWS_PAGER=""# Whoami of AWS
aws sts get-caller-identity --profile cloudgoat
# A more detailed whoami
aws iam get-user --profile iam_enum
# List groups memberships
aws iam list-groups-for-user --user-name [user-name]
# List IAM users
aws iam list-users
# List attached managed policies
aws iam list-attached-user-policies --user-name [user-name]
# List inline policies
aws iam list-user-policies --user-name [user-name]
# List inline policy details
aws iam get-user-policy --user-name [user-name] --policy-name [policy-name]Each AWS account can have two different access keys. If an account has only one, a backdoor can be created, via a second access key, in order to compromise it.
AWS roles are similar to users but have no long-term credential, i.e. they expire after a defined period of time. Instead, they have temporary ones via role assumption.
# List all buckets in the authenticated AWS account
aws s3 ls
# List all buckets from a custom endpoint
aws s3 ls --endpoint=http://s3.thetoppers.htb
# Check if a bucket exists (no authentication required)
aws s3 ls s3://[bucket-name] --no-sign-request
# List the target bucket's content from a custom endpoint
aws s3 ls s3://thetoppers.htb --endpoint=http://s3.thetoppers.htb
# List the contents of a public or accessible bucket (optionally specify a path)
aws s3 ls s3://[bucket-name]/[optional-path] --no-sign-request --recursive
# Download an object from a public or accessible bucket
aws s3 cp s3://[bucket-name]/[key] [local-file] --no-sign-request
# Upload a file to test write access (only works if bucket allows writes)
aws s3 cp test.txt s3://[bucket-name]/test.txt
# Upload a file
aws s3 cp shell.php s3://thetoppers.htb --endpoint=http://s3.thetoppers.htb
# Enumerate bucket permissions
# Get the bucket policy (authenticated)
aws s3api get-bucket-policy --bucket [bucket-name]
# Get the bucket Access Control List (ACL) (authenticated)
aws s3api get-bucket-acl --bucket [bucket-name]
# Get the Public Access Block settings (authenticated)
aws s3api get-bucket-public-access-block --bucket [bucket-name]
# Get the CORS configuration (may provide hints for XSS or other client-side issues)
aws s3api get-bucket-cors --bucket [bucket-name]
# List all buckets in the account
aws s3api list-buckets
# List objects in a specific bucket (output formatted as a table)
aws s3api list-objects --bucket [bucket-name] --output tableLast updated
Was this helpful?