More EverSec S3 Subdomain Hijacking (BSidesRDU 2018)

There was some more S3 Subdomain Hijacking at the BSidesRDU CTF, but no one was able to solve it!

S3 Subdomain Hijacking - Introduction

Similarly to before, EverSec posted the following challenge on their blog.

S3 Subdomain Hijacking - Challenge

I was guessing that it was the same as my previous write-up, so I waited until after the con to complete it.

Finding the Vulnerable Domains

First, I used Gobuster to find the potentially vulnerable domains. I highlighted the two domains that I didn't recognize, as they seemed fairly suspicious.

root@kali:~# gobuster -m dns -u eversec.rocks -fw -w subdomains-top1mil-5000.txt

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dns
[+] Url/Domain   : eversec.rocks
[+] Threads      : 10
[+] Wordlist     : subdomains-top1mil-5000.txt
=====================================================
2018/11/18 16:47:25 Starting gobuster
=====================================================
2018/11/18 16:47:25 [-] Wildcard DNS found. IP address(es): 104.239.207.44,198.105.244.130
Found: www.eversec.rocks
Found: vpn.eversec.rocks
Found: admin.eversec.rocks
Found: wiki.eversec.rocks
Found: jira.eversec.rocks
Found: storage.eversec.rocks
Found: confluence.eversec.rocks
Found: WWW.eversec.rocks

For reference, I used this subdomain list for my brute-force attack.

Verifying the Missing Buckets

With a list of potential targets, I checked to see which might be vulnerable to hijacking.

As expected, jira.eversec.rocks was missing a bucket, in the same way as app/blog before.

S3 Subdomain Hijacking - Jira

Additionally, confluence.eversec.rocks looked vulnerable as well.

S3 Subdomain Hijacking - Confluence

S3 Hijack

While I won't cover the attack step-by-step again, I did create two buckets for these targets.

S3 Subdomain Hijacking - Buckets

This time, I went with a slightly different index.html file.

<html>

<head>
<title>Redirecting to https://www.doyler.net</title>
</head>

<body>

You should have just read the <a href="https://www.doyler.net/security-not-included/subdomain-hijacking-eversec">previous write-up</a>!

<script>
window.location.href = "https://www.doyler.net/security-not-included/subdomain-hijacking-eversec";
</script>

</body>

</html>

Also, I was able to get the pages to work without needing to browse to index.html this time!

S3 Subdomain Hijacking - Success

S3 Subdomain Hijacking - Conclusion

While the attack was still the same as last time, I was able to complete it in a more timely manner.

Hopefully next time someone is able to actually finish one of these during the CTFs.

Feel free to verify that http://jira.eversec.rocks or http://confluence.eversec.rocks are working, as I can always use the page views!

I still have one (maybe two) more write-ups from BSidesRDU, and then it's back to other topics. In the meantime, please let me know if you have any post or topic ideas/suggestions.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.