More EverSec S3 Subdomain Hijacking (BSidesRDU 2018)

There was some more S3 Subdomain Hijacking at the BSidesRDU CTF, but no one was able to solve it!

S3 Subdomain Hijacking - Introduction

Similarly to before, EverSec posted the following challenge on their blog.

S3 Subdomain Hijacking - Challenge

I was guessing that it was the same as my previous write-up, so I waited until after the con to complete it.

Finding the Vulnerable Domains

First, I used Gobuster to find the potentially vulnerable domains. I highlighted the two domains that I didn't recognize, as they seemed fairly suspicious.

root@kali:~# gobuster -m dns -u eversec.rocks -fw -w subdomains-top1mil-5000.txt

=====================================================
Gobuster v2.0.0              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dns
[+] Url/Domain   : eversec.rocks
[+] Threads      : 10
[+] Wordlist     : subdomains-top1mil-5000.txt
=====================================================
2018/11/18 16:47:25 Starting gobuster
=====================================================
2018/11/18 16:47:25 [-] Wildcard DNS found. IP address(es): 104.239.207.44,198.105.244.130
Found: www.eversec.rocks
Found: vpn.eversec.rocks
Found: admin.eversec.rocks
Found: wiki.eversec.rocks
Found: jira.eversec.rocks
Found: storage.eversec.rocks
Found: confluence.eversec.rocks
Found: WWW.eversec.rocks

For reference, I used this subdomain list for my brute-force attack.

Verifying the Missing Buckets

With a list of potential targets, I checked to see which might be vulnerable to hijacking.

As expected, jira.eversec.rocks was missing a bucket, in the same way as app/blog before.

S3 Subdomain Hijacking - Jira

Additionally, confluence.eversec.rocks looked vulnerable as well.

S3 Subdomain Hijacking - Confluence

S3 Hijack

While I won't cover the attack step-by-step again, I did create two buckets for these targets.

S3 Subdomain Hijacking - Buckets

This time, I went with a slightly different index.html file.

<html>

<head>
<title>Redirecting to https://www.doyler.net</title>
</head>

<body>

You should have just read the <a href="https://www.doyler.net/security-not-included/subdomain-hijacking-eversec">previous write-up</a>!

<script>
window.location.href = "https://www.doyler.net/security-not-included/subdomain-hijacking-eversec";
</script>

</body>

</html>

Also, I was able to get the pages to work without needing to browse to index.html this time!

S3 Subdomain Hijacking - Success

S3 Subdomain Hijacking - Conclusion

While the attack was still the same as last time, I was able to complete it in a more timely manner.

Hopefully next time someone is able to actually finish one of these during the CTFs.

Feel free to verify that http://jira.eversec.rocks or http://confluence.eversec.rocks are working, as I can always use the page views!

I still have one (maybe two) more write-ups from BSidesRDU, and then it's back to other topics. In the meantime, please let me know if you have any post or topic ideas/suggestions.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Principal Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.