rukh rukh-debug

Dangling DNS Records on surf-test.xwf.internet.org! - $500

Read the proper write-up here: https://publish.whoisbinit.me/amazon-ec2-dangling-dns-records-on-surf-test-xwf-internet-org!

Vulnerability Discovery

In this GitHub Gist, I have included my script (main.sh), which I used in discovering this vulnerability.

The script performs sub-domain enumeration over the Internet.org domain using assetfinder, subfinder, sublist3r and amass, and then checks for sub-domains which are further pointing to Amazon EC2 hostnames, and stores all of the results in multiple text files.

I didn't perform any form of manual work in discovering this vulnerability, and my workflow was fully automated with the help of Bash scripting using different tools.

	Name: Microsoft Server Speech Text to Speech Voice (af-ZA, AdriNeural)
	ShortName: af-ZA-AdriNeural
	Gender: Female
	Locale: af-ZA
	VoiceTag: {'ContentCategories': ['General'], 'VoicePersonalities': ['Friendly', 'Positive']}

	Name: Microsoft Server Speech Text to Speech Voice (af-ZA, WillemNeural)
	ShortName: af-ZA-WillemNeural
	Gender: Male
	Locale: af-ZA

	#unsecure - SELinux enabled.
	ro.build.selinux=1

	#unsecure - SELinux set permissive (not enforcing), disable re-applying policy and context. You must also edit the boot.img with those props and add 'setenforce 0' according to https://gist.github.com/eladkarako/5694eada31277fdc75cee4043461372e#gistcomment-3475304 -- then repack the boot.img and flash it (init.rc will launch at boot).
	ro.boot.selinux=permissive
	androidboot.selinux=permissive
	persist.android.strictmode=0
	persist.selinux.enforcing=0
	ro.build.selinux.enforce=0
	security.perf_harden=0

	var logger = console.trace;

	// ELEMENT

	;(getElementByIdCopy => {
	Element.prototype.getElementById = function(q) {
	logger('getElementById', q, this, this.innerHTML);
	return Reflect.apply(getElementByIdCopy, this, [q])
	}
	})(Element.prototype.getElementById)

	http://localhost
	http://0
	http://127.0.0.1
	https://localhost
	http://localhost:8080
	http://192.168.0.1
	file:///
	file:///etc/passwd
	file:///c/
	chrome://about

	/* Basic example of save cookie using axios in node.js and recreate session if it expired.
	* Get/save cookie manually cause WithCredential axios param use XHR and not work in node.js
	* Supports parallel request and send only one create session request.
	* */

	const BASE_URL = "https://google.com";

	// Init instance of axios which works with BASE_URL
	const axiosInstance = axios.create({ baseURL: BASE_URL });

	\033[38;2;23;147;209m ▄
	▟█▙
	▟███▙
	▟█████▙
	▟███████▙
	▂▔▀▜██████▙
	▟██▅▂▝▜█████▙
	▟█████████████▙
	▟███████████████▙
	▟█████████████████▙

	//META{"name":"Gruvbox Hard Dark","description":"Themes your Discord using Gruvbox colors.","author":"Ethan McTague","version":"1.0"}*//
	/* BetterDiscord Gruvbox Theme - By Ethan McTague


	Compatible with the latest version of Discord (as of Jan 23, 2020.)


	Copyright 2020 Ethan McTague <[email protected]>
	Licensed under the BSD 3-clause license.

	#!/bin/bash
	#Performs port scan using nmap

	print_usage() {
	cat << _EOF_
	Utility to scan open ports. Can be used to scan ports for a domain or a list of domains specified in a file.
	Example Usage:
	-h, --help Show brief help
	-d, --domain Domain name or ip to scan
	-f, --file Spefify a file containing domains/IPs to scan

	/* Basic example of saving cookie using axios in node.js and session's recreation after expiration.
	* We have to getting/saving cookie manually because WithCredential axios param use XHR and doesn't work in node.js
	* Also, this example supports parallel request and send only one create session request.
	* */

	const BASE_URL = "https://google.com";

	// Init instance of axios which works with BASE_URL
	const axiosInstance = axios.create({ baseURL: BASE_URL });