There was some more S3 Subdomain Hijacking at the BSidesRDU CTF, but no one was able to solve it!
S3 Subdomain Hijacking - Introduction
Similarly to before, EverSec posted the following challenge on their blog.
I was guessing that it was the same as my previous write-up, so I waited until after the con to complete it.
Finding the Vulnerable Domains
First, I used Gobuster to find the potentially vulnerable domains. I highlighted the two domains that I didn't recognize, as they seemed fairly suspicious.
root@kali:~# gobuster -m dns -u eversec.rocks -fw -w subdomains-top1mil-5000.txt ===================================================== Gobuster v2.0.0 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dns [+] Url/Domain : eversec.rocks [+] Threads : 10 [+] Wordlist : subdomains-top1mil-5000.txt ===================================================== 2018/11/18 16:47:25 Starting gobuster ===================================================== 2018/11/18 16:47:25 [-] Wildcard DNS found. IP address(es): 126.96.36.199,188.8.131.52 Found: www.eversec.rocks Found: vpn.eversec.rocks Found: admin.eversec.rocks Found: wiki.eversec.rocks Found: jira.eversec.rocks Found: storage.eversec.rocks Found: confluence.eversec.rocks Found: WWW.eversec.rocks
For reference, I used this subdomain list for my brute-force attack.
Verifying the Missing Buckets
With a list of potential targets, I checked to see which might be vulnerable to hijacking.
As expected, jira.eversec.rocks was missing a bucket, in the same way as app/blog before.
Additionally, confluence.eversec.rocks looked vulnerable as well.
While I won't cover the attack step-by-step again, I did create two buckets for these targets.
This time, I went with a slightly different index.html file.
<html> <head> <title>Redirecting to https://www.doyler.net</title> </head> <body> You should have just read the <a href="https://www.doyler.net/security-not-included/subdomain-hijacking-eversec">previous write-up</a>! <script> window.location.href = "https://www.doyler.net/security-not-included/subdomain-hijacking-eversec"; </script> </body> </html>
Also, I was able to get the pages to work without needing to browse to index.html this time!
S3 Subdomain Hijacking - Conclusion
While the attack was still the same as last time, I was able to complete it in a more timely manner.
Hopefully next time someone is able to actually finish one of these during the CTFs.
I still have one (maybe two) more write-ups from BSidesRDU, and then it's back to other topics. In the meantime, please let me know if you have any post or topic ideas/suggestions.