More EverSec S3 Subdomain Hijacking (BSidesRDU 2018)

There was some more S3 Subdomain Hijacking at the BSidesRDU CTF, but no one was able to solve it!

S3 Subdomain Hijacking - Introduction

Similarly to before, EverSec posted the following challenge on their blog.

S3 Subdomain Hijacking - Challenge

I was guessing that it was the same as my previous write-up, so I waited until after the con to complete it.

Finding the Vulnerable Domains

First, I used Gobuster to find the potentially vulnerable domains. I highlighted the two domains that I didn't recognize, as they seemed fairly suspicious.

root@kali:~# gobuster -m dns -u -fw -w subdomains-top1mil-5000.txt

Gobuster v2.0.0              OJ Reeves (@TheColonial)
[+] Mode         : dns
[+] Url/Domain   :
[+] Threads      : 10
[+] Wordlist     : subdomains-top1mil-5000.txt
2018/11/18 16:47:25 Starting gobuster
2018/11/18 16:47:25 [-] Wildcard DNS found. IP address(es):,

For reference, I used this subdomain list for my brute-force attack.

Verifying the Missing Buckets

With a list of potential targets, I checked to see which might be vulnerable to hijacking.

As expected, was missing a bucket, in the same way as app/blog before.

S3 Subdomain Hijacking - Jira

Additionally, looked vulnerable as well.

S3 Subdomain Hijacking - Confluence

S3 Hijack

While I won't cover the attack step-by-step again, I did create two buckets for these targets.

S3 Subdomain Hijacking - Buckets

This time, I went with a slightly different index.html file.


<title>Redirecting to</title>


You should have just read the <a href="">previous write-up</a>!

window.location.href = "";



Also, I was able to get the pages to work without needing to browse to index.html this time!

S3 Subdomain Hijacking - Success

S3 Subdomain Hijacking - Conclusion

While the attack was still the same as last time, I was able to complete it in a more timely manner.

Hopefully next time someone is able to actually finish one of these during the CTFs.

Feel free to verify that or are working, as I can always use the page views!

I still have one (maybe two) more write-ups from BSidesRDU, and then it's back to other topics. In the meantime, please let me know if you have any post or topic ideas/suggestions.

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.