Subdomain Takeover via elasticbeanstalk AWS service #147
Comments
EdOverflow
added
the
vulnerable
|
Here is another account of a subdomain takeover based on AWS Elastic Beanstalk: https://twitter.com/payloadartist/status/1362035009863880711 |
|
A useful resource for creating a PoC: https://godiego.tech/posts/STO-AWS/ |
|
@jub0bs There are 10-digit numbers and letters at the end of the subdomain. can I take this? example: example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com. |
|
@Phoenix1112 I believe so: according to the AWS CLI, the environment name is available: $ aws elasticbeanstalk check-dns-availability --region eu-west-1 --cname-prefix uzk2i9mkth
{
"Available": true,
"FullyQualifiedCNAME": "uzk2i9mkth.eu-west-1.elasticbeanstalk.com"
}You should be able to create an environment of that name and then create an app of any name under there. See https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/environments-create-wizard.html Good luck! Hit me up on Twitter if needed. My DMs are open. |
|
@jub0bs Thank you for writing the answer, but you probably got me wrong. I would like to make a statement based on the example I gave you. example target: example-test-eu-west-1.uzk2i9mkth.eu-west-1.elasticbeanstalk.com. I can only try to get the beginning of the name cname in the address above >> example-test-eu-west-1 But elasticbeanstalk service adds 10-digit complex letters and numbers to the continuation of this cname name just like elb service. Looking at the address above, this is the 10-digit numbers and letters automatically assigned by aws. >> uzk2i9mkth if I need to create an elastic beanstalk with this name so that I can do a subdomain takeover: example-test-eu-west-1.uzk2i9mkth but it does not allow using dot(.) while creating elasticbeanstalk. it just allows that much >> example-test-eu-west-1 If you want to test the real cname address on this subject, I can tell you the cname name. A DNS RECORD of the target site returns nxdomain. Although there is a potential takeover, I have a problem as I explained above. |
|
@jub0bs I got takeover an aws elasticbeanstalk address. i will upload poc file to it but i couldn't. After aws takeover elasticbeanstalk, an s3 bucket with similar name is created. I uploaded it into this bucket, but when I go to the url address, I encounter a 404 page. Is it correct to upload the file from here or do we need to upload it from somewhere else? I installed php application while creating elasticbeanstalk. When I go to the target subdomain "Congratulations!" I encounter the page. How can I upload the my takeover poc exactly? |
|
It is done on purpose, so you don't take it over. |
|
i created a python platform and uploaded a sample flask application. Refer to this: https://medium.com/analytics-vidhya/deploying-a-flask-app-to-aws-elastic-beanstalk-f320033fda3c |
|
for poc |
I got your point, and have the same issue . how did you solve that? Some dns have xxx.xxx.us-west-2.elasticbeanstalk.com and aws console dont allow register as it is ...mmmhhh who knows? Could be Cloudfare related |
Have same problem. |
What do you mean by "create an app of any name under there."? |
ElasticBeanstalk AWS service
Proof
Found it 3 times in Private Program.
Documentation
Same Steps here https://www.youtube.com/watch?v=srKIqhj_ki8
The text was updated successfully, but these errors were encountered: