Open m7mdharoun opened 4 years ago
Here is another account of a subdomain takeover based on AWS Elastic Beanstalk: https://twitter.com/payloadartist/status/1362035009863880711
A useful resource for creating a PoC: https://godiego.tech/posts/STO-AWS/
@jub0bs There are 10-digit numbers and letters at the end of the subdomain. can I take this?
example: example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.
@Phoenix1112 I believe so: according to the AWS CLI, the environment name is available:
$ aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix uzk2i9mkth
{
"Available": true,
"FullyQualifiedCNAME": "uzk2i9mkth.eu-west-1.elasticbeanstalk.com"
}
You should be able to create an environment of that name and then create an app of any name under there. See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-create-wizard.html
Good luck! Hit me up on Twitter if needed. My DMs are open.
@jub0bs Thank you for writing the answer, but you probably got me wrong. I would like to make a statement based on the example I gave you.
example target:
example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.
I can only try to get the beginning of the name cname in the address above >> example-test-eu-west-1
But elasticbeanstalk service adds 10-digit complex letters and numbers to the continuation of this cname name just like elb service. Looking at the address above, this is the 10-digit numbers and letters automatically assigned by aws. >> uzk2i9mkth
if I need to create an elastic beanstalk with this name so that I can do a subdomain takeover:
example-test-eu-west-1.uzk2i9mkth
but it does not allow using dot(.) while creating elasticbeanstalk. it just allows that much >> example-test-eu-west-1 they also add 10-digit different numbers at the end of it after taking it. it looks like there should be a brute force logic here so that I can coincide with this at the end of my elastic beanstalk address >> uzk2i9mkth
If you want to test the real cname address on this subject, I can tell you the cname name. A DNS RECORD of the target site returns nxdomain. Although there is a potential takeover, I have a problem as I explained above.
@jub0bs I got takeover an aws elasticbeanstalk address. i will upload poc file to it but i couldn't. After aws takeover elasticbeanstalk, an s3 bucket with similar name is created. I uploaded it into this bucket, but when I go to the url address, I encounter a 404 page. Is it correct to upload the file from here or do we need to upload it from somewhere else? I installed php application while creating elasticbeanstalk. When I go to the target subdomain "Congratulations!" I encounter the page. How can I upload the my takeover poc exactly?
It is done on purpose, so you don't take it over.
i created a python platform and uploaded a sample flask application. Refer to this: https://medium.com/analytics-vidhya/deploying-a-flask-app-to-aws-elastic-beanstalk-f320033fda3c
for poc https://www.youtube.com/watch?v=sybZlA6lUns
@jub0bs Thank you for writing the answer, but you probably got me wrong. I would like to make a statement based on the example I gave you.
example target:
example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.
I can only try to get the beginning of the name cname in the address above >> example-test-eu-west-1
But elasticbeanstalk service adds 10-digit complex letters and numbers to the continuation of this cname name just like elb service. Looking at the address above, this is the 10-digit numbers and letters automatically assigned by aws. >> uzk2i9mkth
if I need to create an elastic beanstalk with this name so that I can do a subdomain takeover:
example-test-eu-west-1.uzk2i9mkth
but it does not allow using dot(.) while creating elasticbeanstalk. it just allows that much >> example-test-eu-west-1 they also add 10-digit different numbers at the end of it after taking it. it looks like there should be a brute force logic here so that I can coincide with this at the end of my elastic beanstalk address >> uzk2i9mkth
If you want to test the real cname address on this subject, I can tell you the cname name. A DNS RECORD of the target site returns nxdomain. Although there is a potential takeover, I have a problem as I explained above.
I got your point, and have the same issue . how did you solve that? Some dns have xxx.xxx.us-west-2.elasticbeanstalk.com and aws console dont allow register as it is ...mmmhhh who knows? Could be Cloudfare related
@jub0bs There are 10-digit numbers and letters at the end of the subdomain. can I take this?
example: example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com.
Have same problem. The CNAME has the following format: xxxxx.dyk92b2ewd.us-east-1.elasticbeanstalk.com. The wizard doesn't allow me to create such subdomain (xxxxx.dyk92b2ewd). How at all someone claimed elasticbeanstalk environment with such domain name?
@Phoenix1112 I believe so: according to the AWS CLI, the environment name is available:
$ aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix uzk2i9mkth { "Available": true, "FullyQualifiedCNAME": "uzk2i9mkth.eu-west-1.elasticbeanstalk.com" }
You should be able to create an environment of that name and then create an app of any name under there. See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-create-wizard.html
Good luck! Hit me up on Twitter if needed. My DMs are open.
@jub0bs
What do you mean by "create an app of any name under there."?
ElasticBeanstalk AWS service
Proof
Found it 3 times in Private Program.
Documentation
Same Steps here https://www.youtube.com/watch?v=srKIqhj_ki8