There was some more S3 Subdomain Hijacking at the BSidesRDU CTF, but no one was able to solve it!
S3 Subdomain Hijacking – Introduction
Similarly to before, EverSec posted the following challenge on their blog.
I was guessing that it was the same as my previous write-up, so I waited until after the con to complete it.
Finding the Vulnerable Domains
First, I used Gobuster to find the potentially vulnerable domains. I highlighted the two domains that I didn’t recognize, as they seemed fairly suspicious.
[email protected]:~# gobuster -m dns -u eversec.rocks -fw -w subdomains-top1mil-5000.txt ===================================================== Gobuster v2.0.0 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dns [+] Url/Domain : eversec.rocks [+] Threads : 10 [+] Wordlist : subdomains-top1mil-5000.txt ===================================================== 2018/11/18 16:47:25 Starting gobuster ===================================================== 2018/11/18 16:47:25 [-] Wildcard DNS found. IP address(es): 18.104.22.168,22.214.171.124 Found: www.eversec.rocks Found: vpn.eversec.rocks Found: admin.eversec.rocks Found: wiki.eversec.rocks Found: jira.eversec.rocks Found: storage.eversec.rocks Found: confluence.eversec.rocks Found: WWW.eversec.rocks
For reference, I used this subdomain list for my brute-force attack.
Verifying the Missing Buckets
With a list of potential targets, I checked to see which might be vulnerable to hijacking.
As expected, jira.eversec.rocks was missing a bucket, in the same way as app/blog before.
Additionally, confluence.eversec.rocks looked vulnerable as well.
While I won’t cover the attack step-by-step again, I did create two buckets for these targets.
This time, I went with a slightly different index.html file.
<html> <head> <title>Redirecting to https://www.doyler.net</title> </head> <body> You should have just read the <a href="https://www.doyler.net/security-not-included/subdomain-hijacking-eversec">previous write-up</a>! <script> window.location.href = "https://www.doyler.net/security-not-included/subdomain-hijacking-eversec"; </script> </body> </html>
Also, I was able to get the pages to work without needing to browse to index.html this time!
S3 Subdomain Hijacking – Conclusion
While the attack was still the same as last time, I was able to complete it in a more timely manner.
Hopefully next time someone is able to actually finish one of these during the CTFs.
I still have one (maybe two) more write-ups from BSidesRDU, and then it’s back to other topics. In the meantime, please let me know if you have any post or topic ideas/suggestions.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.