AWS/S3 Subdomain Takeover
Write up about how I successfully took over the subdomain of an AWS/S3 bucket.
A Subdomain takeover is a cybersecurity vulnerability where attackers exploit abandoned or misconfigured subdomains, gaining unauthorized control. This can lead to malicious activities such as phishing, malware distribution, and defacement.
These are the steps I took to successfully take over this subdomain and link it to my own AWS bucket
- Enumerate subdomains using a recon tool in our case we will use Subfinder.
- Check subdomains for “signatures” In the case of AWS the signature would be “the specified bucket does not exist”, the tool used for this is Subzy.
- Confirm the takeover with the help of can-i-take-over-XYZ
- Profit !!
Enumerate subdomain
The first thing to do was reconnaissance and find all the target assets I could. During this process subdomain enumeration is employed, subdomain enumeration uses a mixture of techniques to find the target sub-domains: it includes searching external data sources such as search engines, public databases, and other third-party services as well as scanning DNS records NS, MX, TXT, AXFR).
Many tools exist for this purpose and I highly suggest you setup in the tools your external data source API keys to get the maximum amount of results.
We will use the tool Subfinder but other worthy tools exist such as Sublist3r, Amass, or Knockpy.
Using Subfinder after you install, Let’s run:
docker run projectdiscovery/subfinder:latest -d mobil.com -o out.txt
We will find the output in out.txt ready for the next step.
Results from Subfinder subdomain enumeration
Scan for Signatures
Many existed to check the subdomains for potential takeovers from using tools to record screenshots, to using tools to try and match text/regex right down to manually checking the domain.
We will automate the process of searching for matching text signatures using a tool called Subzy.
Assuming you have installed Subzy, let’s run:
subzy run — targets out.txt
Wait for it to complete and let’s see what we can find:
Looks like we got lucky and we can see a domain is vulnerable and we even got given a nice link to the `can-i-take-over-xyz` repository.
Confirming and Preforming Takeover
Now we know this domain is vulnerable let’s go over to can-i-take-over-xyz and have a look.
- Go to the S3 panel
- Click Create Bucket
- Set Bucket name to source domain name (i.e., the domain you want to take over)
- Click Next multiple times to finish
- Open the created bucket
- Click Upload
- Select the file which will be used for PoC (HTML or TXT file). I recommend naming it differently than index.html; you can use poc (without extension)
- In the Permissions tab select Grant public read access to this object(s)
- After upload, select the file and click More -> Change metadata
- Click Add metadata, select Content-Type and the value should reflect the type of document. If HTML, choose text/html, etc.
- (Optional) If the bucket was configured as a website
- Switch to the Properties tab
- Click Static Website hosting
- Select Use this bucket to host a website
- As an index, choose the file that you uploaded
- Click Save
Success !!
We have taken over this domain/subdomain and uploaded our POC !!
A interesting bonus is look at the traffic as a bad actor we could have potentially gotten….
Hack the Planet! Stay vigilant, stay informed, and return for continuous enlightenment
Gratitude for your engagement and Remember, knowledge is the ultimate power — keep expanding!
