Skip to content

Instantly share code, notes, and snippets.

@TheBinitGhimire

TheBinitGhimire/README.md

Last active October 27, 2024 19:26
Show Gist options
  • Save TheBinitGhimire/ec24a9de97a372cf6b7b9453511c3f8b to your computer and use it in GitHub Desktop.
Save TheBinitGhimire/ec24a9de97a372cf6b7b9453511c3f8b to your computer and use it in GitHub Desktop.
Download ZIP
Dangling DNS Records leading to Sub-domain Takeover on api.techprep.fb.com!
Raw
README.md

Dangling DNS Records on api.techprep.fb.com - $500!

Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk

I have included my script in another file (main.sh), which I used in discovering this vulnerability.

I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.

I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.

Raw
main.sh
## Subdomain Enumeration
echo "Checking with Assetfinder!";
assetfinder -subs-only fb.com >> ~/results/fb.com/subs/assetfinder.txt;
echo "Checking with Subfinder!";
subfinder -d fb.com -recursive -silent -all -t 500 -o ~/results/fb.com/subs/subfinder.txt;
echo "Checking with Sublist3r!";
sublist3r -d fb.com -n -t 500 -o ~/results/fb.com/subs/sublist3r.txt;
echo "Checking with Amass!";
amass enum -passive -norecursive -noalts -d fb.com -o ~/results/fb.com/subs/amass.txt;
## Subdomain Concatenation
cat ~/results/fb.com/subs/*.txt > ~/results/fb.com/subs.txt;
## Subdomain Enumeration Cleanup
rm -rf ~/results/fb.com/subs;
## Subdomain Enumeration Results
sort -u ~/results/fb.com/subs.txt -o ~/results/fb.com/subs.txt
## Elastic Beanstalk Checker
while IFS= read -r domain; do
if dig +short $domain | grep elasticbeanstalk; then echo $domain | tee -a ~/results/fb.com/elasticbeanstalk.txt; fi;
done < ~/results/fb.com/subs.txt
@pdelteil
Copy link

Hello,

I think is no longer possible to perform this take over? I can't create a custom env. URL.

Can you confirm?

@TheBinitGhimire
Copy link
Author

Hello @pdelteil,

I think you tried to create an application at Elastic Beanstalk, so you weren't able to define a custom URL. Can you once try creating an environment?

I just tried, and I'm still able to define custom URLs without any random strings added to the URL.

Creating an environment!

Here is an image showing what I did to verify just now!

If you have any further queries, please let me know!

Thanks,
Binit

@pdelteil
Copy link

Thank you for your quick answer. There's something odd, that dialog appeared when I created the second environment and not while creating the first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment