304 North Cardinal St.
Dorchester Center, MA 02124

Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM

More EverSec S3 Subdomain Hijacking (BSidesRDU 2018)

There was some more S3 Subdomain Hijacking at the BSidesRDU CTF, but no one was able to solve it!

S3 Subdomain Hijacking – Introduction

Similarly to before, EverSec posted the following challenge on their blog.

S3 Subdomain Hijacking - Challenge

I was guessing that it was the same as my previous write-up, so I waited until after the con to complete it.

Finding the Vulnerable Domains

First, I used Gobuster to find the potentially vulnerable domains. I highlighted the two domains that I didn’t recognize, as they seemed fairly suspicious.

[email protected]:~# gobuster -m dns -u -fw -w subdomains-top1mil-5000.txt

Gobuster v2.0.0              OJ Reeves (@TheColonial)
[+] Mode         : dns
[+] Url/Domain   :
[+] Threads      : 10
[+] Wordlist     : subdomains-top1mil-5000.txt
2018/11/18 16:47:25 Starting gobuster
2018/11/18 16:47:25 [-] Wildcard DNS found. IP address(es):,

For reference, I used this subdomain list for my brute-force attack.

Verifying the Missing Buckets

With a list of potential targets, I checked to see which might be vulnerable to hijacking.

As expected, was missing a bucket, in the same way as app/blog before.

S3 Subdomain Hijacking - Jira

Additionally, looked vulnerable as well.

S3 Subdomain Hijacking - Confluence

S3 Hijack

While I won’t cover the attack step-by-step again, I did create two buckets for these targets.

S3 Subdomain Hijacking - Buckets

This time, I went with a slightly different index.html file.


<title>Redirecting to</title>


You should have just read the <a href="">previous write-up</a>!

window.location.href = "";



Also, I was able to get the pages to work without needing to browse to index.html this time!

S3 Subdomain Hijacking - Success

S3 Subdomain Hijacking – Conclusion

While the attack was still the same as last time, I was able to complete it in a more timely manner.

Hopefully next time someone is able to actually finish one of these during the CTFs.

Feel free to verify that or are working, as I can always use the page views!

I still have one (maybe two) more write-ups from BSidesRDU, and then it’s back to other topics. In the meantime, please let me know if you have any post or topic ideas/suggestions.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.