AWS/S3 Subdomain Takeover
2024-1-25 17:29:53 Author: infosecwriteups.com(查看原文) 阅读量:10 收藏

Scott Lindh

InfoSec Write-ups

Write up about how I successfully took over the subdomain of an AWS/S3 bucket.

A Subdomain takeover is a cybersecurity vulnerability where attackers exploit abandoned or misconfigured subdomains, gaining unauthorized control. This can lead to malicious activities such as phishing, malware distribution, and defacement.

This 404 suggests something interesting and that is that “No such Bucket” exists…..

These are the steps I took to successfully take over this subdomain and link it to my own AWS bucket

  1. Enumerate subdomains using a recon tool in our case we will use Subfinder.
  2. Check subdomains for “signatures” In the case of AWS the signature would be “the specified bucket does not exist”, the tool used for this is Subzy.
  3. Confirm the takeover with the help of can-i-take-over-XYZ
  4. Profit !!

The first thing to do was reconnaissance and find all the target assets I could. During this process subdomain enumeration is employed, subdomain enumeration uses a mixture of techniques to find the target sub-domains: it includes searching external data sources such as search engines, public databases, and other third-party services as well as scanning DNS records NS, MX, TXT, AXFR).

Many tools exist for this purpose and I highly suggest you setup in the tools your external data source API keys to get the maximum amount of results.
We will use the tool Subfinder but other worthy tools exist such as Sublist3r, Amass, or Knockpy.

Using Subfinder after you install, Let’s run:
docker run projectdiscovery/subfinder:latest -d mobil.com -o out.txt

We will find the output in out.txt ready for the next step.
Results from Subfinder subdomain enumeration

Results from Subfinder sub domain enumeration

Many existed to check the subdomains for potential takeovers from using tools to record screenshots, to using tools to try and match text/regex right down to manually checking the domain.

We will automate the process of searching for matching text signatures using a tool called Subzy.

Assuming you have installed Subzy, let’s run:
subzy run — targets out.txt

Wait for it to complete and let’s see what we can find:

We got lucky we have a fingerprint match !!

Looks like we got lucky and we can see a domain is vulnerable and we even got given a nice link to the `can-i-take-over-xyz` repository.

Now we know this domain is vulnerable let’s go over to can-i-take-over-xyz and have a look.

  1. Go to the S3 panel
  2. Click Create Bucket
  3. Set Bucket name to source domain name (i.e., the domain you want to take over)
  4. Click Next multiple times to finish
  5. Open the created bucket
  6. Click Upload
  7. Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use poc (without extension)
  8. In the Permissions tab select Grant public read access to this object(s)
  9. After upload, select the file and click More -> Change metadata
  10. Click Add metadata, select Content-Type and the value should reflect the type of document. If HTML, choose text/html, etc.
  11. (Optional) If the bucket was configured as a website
  12. Switch to the Properties tab
  13. Click Static Website hosting
  14. Select Use this bucket to host a website
  15. As an index, choose the file that you uploaded
  16. Click Save

Success !!
We have taken over this domain/subdomain and uploaded our POC !!

Back links for the takeover

A interesting bonus is look at the traffic as a bad actor we could have potentially gotten….

Hack the Planet! Stay vigilant, stay informed, and return for continuous enlightenment

Gratitude for your engagement and Remember, knowledge is the ultimate power — keep expanding!


文章来源: https://infosecwriteups.com/aws-s3-subdomain-takeover-79d705cc3553?source=rss----7b722bfd1b8d---4
如有侵权请联系:admin#unsafe.sh