Day 8/100 Hack and Improvement

1 minute read

Day 8 comes with more recon and a brief analisis about SSRF capabilities. Rajesh Ranjan goes deep with subdomains linked to IP ranges, and Sam (CoffeeJunkie) explains SSRF capabilites.

Finding Subdomains Using IP Ranges

From Rajesh Ranjan, we will learn that, how can we extract the subdomains using the IP ranges of a company. For this we will use:

  1. https://bgp.he.net/ to find the ASN of a company
  2. https://ipinfo.io/ to find the IP ranges from the ASN number
  3. Nmap to enumerate subdomains from the IP ranges

To start:

  • Finding ASN number with https://bgp.he.net
    https://bgp.he.net/dns/target.com#_ipinfo
    

Here, replace target.com with your own. In my case I used paypal.com. So I got the following results:

nmap scan

  • Now we have to extract the IP ranges, from the ASN number.
    https://ipinfo.io/AS17012
    

    Here, Replace the ASN number with your target ASN, and you’ll get the IP Ranges as follows

nmap scan

Now lets try to enumerate the subdomains from the first IP range we got, in my case it is 173.0.80.0/20. You can try all the IP ranges one by one.

  • Enumerate subdomains from the IP ranges using nmap. We can use the following command
    nmap 64.4.248.0/22 -sn | grep paypal.com | awk '{print $5}'
    

and we got the following results:

nmap scan

Server Side Request Forgery (SSRF)

From Sam (CoffeeJunkie), This kind of vulnerability allows an attacker to perform unintended network requests, in this case abusing other system to perform malicious actions. In order demonstrate impact with the vulnerability, you have to understand the ability of the vulnerable server to make requests. This determines what the attacker can do with SSRF. Depending on the services and internal ports that the vulnerable server might have open, it depens the kind of attack that the server can have. As an example, the attacker might be able to access to databases, or perform unintended requests in order to control the responses of the webserver.

Write Up and Explanation

ESEA SSRF AND QUERYING AWS METADATA

The attacker started doing recon with the following Google Dork in order to obtain extensions of the site with php in the end.

site:https://play.esea.net/ ext:php

The endpoint that the attacker found was the following.

https://play.esea.net/global/media_preview.php?url=

So, looking at the file name media_preview the attacker realized that he was able to load pictures into the system, therefore the attacker tried the following.

https://play.esea.net/global/media_preview.php?url=http://ziot.org/1.png

Once the attacker realized the capabilities of the attack, he started looking on how limited it is by injecting XSS payloads, and reading internal files. The attacker tried to link the website with a AWS instance which worked perfectly good in his case where he was able to pull data such as secret keys.

URL: http://169.254.169.254/latest/meta-data/hostname
Response: ec2-203-0-113-25.compute-1.amazonaws.com

Conclusion

There is a great chance to obtain great results by using internet tools and nmap scripting, SSRF has been covered in details in the past blogs, in this case there is the chance to see a capability scope.

Leave a comment