Overview
A Bucket of Phish is a cloud security challenge from the Hackfinity Battle CTF event that demonstrates AWS S3 bucket misconfiguration vulnerabilities. This challenge involves identifying a phishing website hosted on Amazon S3, enumerating the bucket contents, and retrieving captured credentials containing the flag.
Room Objectives
This challenge covers cloud security concepts including:
Static website hosting on Amazon S3
S3 bucket enumeration and misconfigurations
Public bucket access without authentication
Credential harvesting from phishing campaigns
Server header analysis for technology identification
1. Initial Recon
The target domain is a phishing website hosted on AWS S3:
http://darkinjector-phish.s3-website-us-west-2.amazonaws.com
Inspect the website content using curl:
curl http://darkinjector-phish.s3-website-us-west-2.amazonaws.com
The response reveals a phishing login page for "Cmail Webmail" with:
HTML login form with email and password fields
Form action pointing to /login
Password reset link to /reset-password
Clean, professional styling mimicking legitimate webmail
Test the non-existent endpoints:
curl http://darkinjector-phish.s3-website-us-west-2.amazonaws.com/reset-password
This returns a 404 error, confirming the site is static and has no backend functionality.
2. Validate Hosting Type
Check HTTP headers to identify the hosting technology:
curl -I http://darkinjector-phish.s3-website-us-west-2.amazonaws.com
Key Headers:
Server: AmazonS3x-amz-id-2 and x-amz-request-id confirm AWS S3Static content with no server-side processing
3. Enumerate the S3 Bucket
From the S3 static website URL format, identify the bucket name:
http://.s3-website-.amazonaws.com
Bucket name: darkinjector-phish
Attempt to list bucket contents without authentication:
aws s3 ls s3://darkinjector-phish --recursive --no-sign-request
Bucket Contents:
index.html (4912 bytes) - The phishing pagecaptured-logins-093582390 (1456 bytes) - Credential storage file
4. Retrieve the Flag
Download the captured credentials file:
aws s3 cp s3://darkinjector-phish/captured-logins-093582390 ./ --no-sign-request
Examine the contents:
cat captured-logins-093582390
Captured Credentials:
user,pass
munra@thm.thm,Password123
test@thm.thm,123456
mario@thm.thm,Mario123
flag@thm.thm,THM{this_is_not_what_i_meant_by_public}
Flag: THM{this_is_not_what_i_meant_by_public}
AWS S3 Security Concepts
Static Website Hosting
S3 can host static websites without server-side processing
URLs follow the pattern: bucket-name.s3-website-region.amazonaws.com
No support for dynamic content, forms, or backend logic
All requests are served directly from S3 storage
Bucket Permissions
Public Access: Buckets can be configured for public read accessACLs: Access Control Lists control object-level permissionsBucket Policies: JSON policies define access rulesPre-signed URLs: Temporary access without authentication
Common Misconfigurations
Public Buckets: Entire buckets made publicly accessiblePermissive Policies: Overly broad access permissionsUnnecessary Public Objects: Sensitive data exposedMissing Encryption: Data stored without encryption
Enumeration Techniques
Passive Methods
URL Analysis: Extract bucket name from S3 website URLsHeader Inspection: Server headers identify S3 hostingContent Analysis: HTML reveals phishing nature and functionality
Active Methods
Bucket Listing: aws s3 ls with --no-sign-requestObject Download: aws s3 cp for public objectsBucket Discovery: Brute force common bucket namesRegion Enumeration: Test different AWS regions
Security Lessons
Static S3 websites cannot process forms or handle dynamic requests
Public S3 buckets expose all objects to unauthorized access
Server headers can reveal hosting provider and technology stack
Credential harvesting is a common phishing campaign goal
Bucket naming conventions can leak organizational information
Phishing sites often mimic legitimate services with professional styling
AWS S3 is not suitable for applications requiring server-side processing
Regular security audits should include cloud storage permissions
Principle of least privilege applies to cloud resource access
Tools Used
curl: HTTP requests and header inspectionawscli: AWS S3 bucket enumeration and file downloadBrowser Developer Tools: HTML and CSS analysis
AWS S3 Security Best Practices
Access Control
Enable S3 Block Public Access at account level
Use IAM policies with minimal required permissions
Implement VPC endpoints for internal access
Enable CloudTrail for API activity logging
Data Protection
Enable server-side encryption (SSE-S3 or SSE-KMS)
Use versioning to protect against accidental deletion
Implement lifecycle policies for data retention
Enable access logging for security monitoring
Monitoring and Alerting
Set up CloudWatch alarms for unusual access patterns
Use AWS Config for compliance monitoring
Implement GuardDuty for threat detection
Regular security assessments and penetration testing
Useful Commands
# Inspect website content
curl http://.s3-website-.amazonaws.com
# Check HTTP headers
curl -I http://.s3-website-.amazonaws.com
# List bucket contents (public)
aws s3 ls s3:// --recursive --no-sign-request
# Download public object
aws s3 cp s3:/// ./ --no-sign-request
# Check bucket permissions
aws s3api get-bucket-acl --bucket --no-sign-request
# List all buckets (if authenticated)
aws s3 ls
# Test bucket existence
aws s3 ls s3:// --no-sign-request 2>/dev/null
Cloud Security Considerations
Shared Responsibility Model
AWS Responsibility: Infrastructure security, physical security, network securityCustomer Responsibility: Data protection, access management, configurationConfiguration Errors: Most breaches result from misconfigurations
Common Attack Vectors
Misconfigured Buckets: Public access to sensitive dataWeak Credentials: Compromised access keysInsufficient Monitoring: Lack of logging and alertingPrivilege Escalation: Over-permissive IAM policies