Subdomain Takeover via elasticbeanstalk AWS service

[m7mdharoun]

ElasticBeanstalk AWS service

Proof

Found it 3 times in Private Program.

Documentation

Same Steps here https://www.youtube.com/watch?v=srKIqhj_ki8

[jub0bs]

Here is another account of a subdomain takeover based on AWS Elastic Beanstalk: https://twitter.com/payloadartist/status/1362035009863880711

[jub0bs]

A useful resource for creating a PoC: https://godiego.tech/posts/STO-AWS/

[Phoenix1112]

@jub0bs There are 10-digit numbers and letters at the end of the subdomain. can I take this?

example: example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.

[jub0bs]

@Phoenix1112 I believe so: according to the AWS CLI, the environment name is available:

$ aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix uzk2i9mkth 
{
    "Available": true,
    "FullyQualifiedCNAME": "uzk2i9mkth.eu-west-1.elasticbeanstalk.com"
}

You should be able to create an environment of that name and then create an app of any name under there. See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-create-wizard.html

Good luck! Hit me up on Twitter if needed. My DMs are open.

[Phoenix1112]

@jub0bs Thank you for writing the answer, but you probably got me wrong. I would like to make a statement based on the example I gave you.

example target:

example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.

I can only try to get the beginning of the name cname in the address above >> example-test-eu-west-1

But elasticbeanstalk service adds 10-digit complex letters and numbers to the continuation of this cname name just like elb service. Looking at the address above, this is the 10-digit numbers and letters automatically assigned by aws. >> uzk2i9mkth

if I need to create an elastic beanstalk with this name so that I can do a subdomain takeover:

example-test-eu-west-1.uzk2i9mkth

but it does not allow using dot(.) while creating elasticbeanstalk. it just allows that much >> example-test-eu-west-1 they also add 10-digit different numbers at the end of it after taking it. it looks like there should be a brute force logic here so that I can coincide with this at the end of my elastic beanstalk address >> uzk2i9mkth

If you want to test the real cname address on this subject, I can tell you the cname name. A DNS RECORD of the target site returns nxdomain. Although there is a potential takeover, I have a problem as I explained above.

[Phoenix1112]

@jub0bs I got takeover an aws elasticbeanstalk address. i will upload poc file to it but i couldn't. After aws takeover elasticbeanstalk, an s3 bucket with similar name is created. I uploaded it into this bucket, but when I go to the url address, I encounter a 404 page. Is it correct to upload the file from here or do we need to upload it from somewhere else? I installed php application while creating elasticbeanstalk. When I go to the target subdomain "Congratulations!" I encounter the page. How can I upload the my takeover poc exactly?

[melardev]

It is done on purpose, so you don't take it over.

[yitingfan1026]

i created a python platform and uploaded a sample flask application. Refer to this: https://medium.com/analytics-vidhya/deploying-a-flask-app-to-aws-elastic-beanstalk-f320033fda3c

[onuncukoy-dot]

for poc https://www.youtube.com/watch?v=sybZlA6lUns

[Lferss]

@jub0bs Thank you for writing the answer, but you probably got me wrong. I would like to make a statement based on the example I gave you.

example target:

example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.

I can only try to get the beginning of the name cname in the address above >> example-test-eu-west-1

But elasticbeanstalk service adds 10-digit complex letters and numbers to the continuation of this cname name just like elb service. Looking at the address above, this is the 10-digit numbers and letters automatically assigned by aws. >> uzk2i9mkth

if I need to create an elastic beanstalk with this name so that I can do a subdomain takeover:

example-test-eu-west-1.uzk2i9mkth

but it does not allow using dot(.) while creating elasticbeanstalk. it just allows that much >> example-test-eu-west-1 they also add 10-digit different numbers at the end of it after taking it. it looks like there should be a brute force logic here so that I can coincide with this at the end of my elastic beanstalk address >> uzk2i9mkth

If you want to test the real cname address on this subject, I can tell you the cname name. A DNS RECORD of the target site returns nxdomain. Although there is a potential takeover, I have a problem as I explained above.

I got your point, and have the same issue . how did you solve that? Some dns have xxx.xxx.us-west-2.elasticbeanstalk.com and aws console dont allow register as it is ...mmmhhh who knows? Could be Cloudfare related

[ertygiq]

@jub0bs There are 10-digit numbers and letters at the end of the subdomain. can I take this?

example: example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.

Have same problem. The CNAME has the following format: xxxxx.dyk92b2ewd.us-east-1.elasticbeanstalk.com. The wizard doesn't allow me to create such subdomain (xxxxx.dyk92b2ewd). How at all someone claimed elasticbeanstalk environment with such domain name?

[ertygiq]

@Phoenix1112 I believe so: according to the AWS CLI, the environment name is available:

$ aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix uzk2i9mkth 
{
    "Available": true,
    "FullyQualifiedCNAME": "uzk2i9mkth.eu-west-1.elasticbeanstalk.com"
}

You should be able to create an environment of that name and then create an app of any name under there. See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-create-wizard.html

Good luck! Hit me up on Twitter if needed. My DMs are open.

@jub0bs

What do you mean by "create an app of any name under there."?