Build — Vulnerabuild

attack-path

easy

Hello, anonymous bucket

cloud: awsest. 10 min1 components

start. Anonymous internet user, no AWS credentials.

goal. List and download every object in the public S3 bucket.

01Discovers the bucket name via Google dorking, GitHub leaks, or a brute-force wordlist.
02Lists contents anonymously: `aws s3 ls s3://<bucket> --no-sign-request` — public ACL allows unauthenticated reads.
S3-001S3-004
03Exfiltrates everything: `aws s3 sync s3://<bucket> ./loot --no-sign-request`.
S3-001

all attack paths

vulnerability-catalog

Object stores, databases, and caches with weak access control and encryption.

Vulnerabilities introduced

Public object bucket

criticalS3-001Public ACL

Object ACLs grant AllUsers read and write.

CWE-732CVSS 9.1CIS AWS 2.1.5

criticalS3-004Block Public Access off

Account-level public access block disabled.

CWE-732CVSS 9.1CIS AWS 2.1.5

mediumS3-010Versioning disabled

No object versioning — destructive overwrite is unrecoverable.

CWE-693CVSS 4.3CIS AWS 2.1.3

infrastructure-as-code

format

cloud

region

# ================================================================
# Attack path: Hello, anonymous bucket
# Difficulty: easy  ·  Cloud: aws  ·  Est. time: 10 min
#
# Starting position: Anonymous internet user, no AWS credentials.
# Objective:         List and download every object in the public S3 bucket.
#
# Playbook:
#   1. Discovers the bucket name via Google dorking, GitHub leaks, or a brute-force wordlist.
#   2. Lists contents anonymously: `aws s3 ls s3://<bucket> --no-sign-request` — public ACL allows unauthenticated reads.
#      exploits: S3-001, S3-004
#   3. Exfiltrates everything: `aws s3 sync s3://<bucket> ./loot --no-sign-request`.
#      exploits: S3-001
#
# Cleanup: terraform destroy -auto-approve   (or: aws cloudformation delete-stack)
# ================================================================

terraform {
  required_providers {
    aws    = { source = "hashicorp/aws",    version = "~> 5.0" }
    random = { source = "hashicorp/random", version = "~> 3.6" }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "random_id" "suffix" {
  byte_length = 4
}

# Public object bucket
# vulnerabilities: S3-001, S3-004, S3-010
resource "aws_s3_bucket" "data_public_bucket" {
  bucket        = "vbuild-public-${random_id.suffix.hex}"
  force_destroy = true
}

resource "aws_s3_bucket_ownership_controls" "data_public_bucket" {
  bucket = aws_s3_bucket.data_public_bucket.id
  rule {
    object_ownership = "BucketOwnerPreferred"
  }
}

resource "aws_s3_bucket_public_access_block" "data_public_bucket" {
  bucket                  = aws_s3_bucket.data_public_bucket.id
  block_public_acls       = false
  block_public_policy     = false
  ignore_public_acls      = false
  restrict_public_buckets = false
}

resource "aws_s3_bucket_acl" "data_public_bucket" {
  depends_on = [
    aws_s3_bucket_ownership_controls.data_public_bucket,
    aws_s3_bucket_public_access_block.data_public_bucket,
  ]
  bucket = aws_s3_bucket.data_public_bucket.id
  acl    = "public-read-write"
}

intentionally vulnerable. Apply only in an isolated sub-account / project, time-boxed and tagged. Never deploy on top of production.