📝 Final Report & Lessons Learned
1. Executive Summary
Three is a Tier 1 machine that showcases the dangers of misconfigured cloud storage (AWS S3) integrated into web applications. By allowing public write access to the S3 bucket, it was possible to upload a webshell and execute arbitrary code on the web server.
2. Key Takeaways
- Technical takeaways: S3 buckets should never have public write permissions unless absolutely necessary for a non-executable directory. Subdomain/VHOST enumeration is critical when a domain name is discovered.
- Strategic takeaways: Always check cloud infrastructure configurations as they often lack the same level of security hardening as the primary server.
3. Remediation
- Restrict S3 Permissions: Implement strict Access Control Lists (ACLs) or Bucket Policies to prevent public authenticated users from uploading files.
- Sanitize Uploads: Even if uploads are allowed, the server should not execute files from the upload directory (Disable PHP execution in
/var/wwwif possible or store uploads outside the web root). - Endpoint Security: Use authentication for the S3 interface (AWS Access Keys).
4. Skills Gained
- VHOST / Subdomain enumeration with Gobuster
- AWS CLI for S3 bucket enumeration
- PHP Webshell creation and RCE via S3
- Local DNS configuration via
/etc/hosts
Operations