BOOK THIS SPACE FOR AD
ARTICLE ADEnding 2023 with good note, I came up with another misconfiguration due to a parameter that leads to exposure of AWS credentials and access to their S3 buckets and cloud infrastructure. Let’s not talk more, understand the approach to recon and exploit the potential threat.
Another week another target, As I already mentioned in my previous blogs I use automation for my reconnaissance of which snippet I have released in earlier blogs. While my automation doing its job, I perform some manual recon via Google Dorking, Shodan, GitHub, etc. This time I was focused more on Google Dorking for finding out more subdomains, urls and endpoints.
I found an endpoint which is generating the pdf, it clicked me about SSRF [Server Side Request Forgery] and after some checks and validation I found its vulnerable to SSRF and I know that the host is deployed on AWS and I was able to find out the secret id and secret key of AWS which led to Unauthorized access to their AWS Infrastructure.
Recon Snippet from previous blog — Blog URLAs said automation is working in background, I was doing some google dorking to gather some subdomains. Let’s call our target as redacted.com.The following google dork I was using to gather subdomains: site:*.redacted.com. So this dork will help us to gather Level 1 subdomains, but you want to gather X Level of subdomains (I mean if you want to gather subdomains like www.admin.redacted.com, www.stag.admin.redacted.com, etc.) use the dork site:*.*.*.redacted.com where the number of * depends on the Level of subdomain you want to gather.I found a subdomain int.redacted.com which has the following endpoint and parameter /pdf.axd?url=redacted.com.Its time to analyze the endpoint and parameter. When I visited that subdomain, I found a pdf generation error which states that the developer is using the endpoint to generate the PDF and the current generated pdf is just the errors came across while development. So Its like developer has created the pdf of the errors to test the PDF Generation Feature.export AWS_SECRET_ACCESS_KEY="REDACTED"
export AWS_SESSION_TOKEN="REDACTED"Let’s understand the impact and remediations. The above sections already explained the criticality of the threat but its important to mention the impact and remediation to improve the quality of your reports.
Happy New Year Everyone😃
Thanks for reading, hope you enjoyed and learned something from this blog.
If you have any questions, DM at https://twitter.com/0xfa1c0n.