Day 8/100 Hack and Improvement
Day 8 comes with more recon and a brief analisis about SSRF capabilities. Rajesh Ranjan goes deep with subdomains linked to IP ranges, and Sam (CoffeeJunkie) explains SSRF capabilites.
Finding Subdomains Using IP Ranges
From Rajesh Ranjan, we will learn that, how can we extract the subdomains using the IP ranges of a company. For this we will use:
- https://bgp.he.net/ to find the ASN of a company
- https://ipinfo.io/ to find the IP ranges from the ASN number
- Nmap to enumerate subdomains from the IP ranges
To start:
- Finding ASN number with https://bgp.he.net
https://bgp.he.net/dns/target.com#_ipinfo
Here, replace target.com with your own. In my case I used paypal.com. So I got the following results:
- Now we have to extract the IP ranges, from the ASN number.
https://ipinfo.io/AS17012
Here, Replace the ASN number with your target ASN, and you’ll get the IP Ranges as follows
Now lets try to enumerate the subdomains from the first IP range we got, in my case it is 173.0.80.0/20
. You can try all the IP ranges one by one.
- Enumerate subdomains from the IP ranges using nmap. We can use the following command
nmap 64.4.248.0/22 -sn | grep paypal.com | awk '{print $5}'
and we got the following results:
Server Side Request Forgery (SSRF)
From Sam (CoffeeJunkie), This kind of vulnerability allows an attacker to perform unintended network requests, in this case abusing other system to perform malicious actions. In order demonstrate impact with the vulnerability, you have to understand the ability of the vulnerable server to make requests. This determines what the attacker can do with SSRF. Depending on the services and internal ports that the vulnerable server might have open, it depens the kind of attack that the server can have. As an example, the attacker might be able to access to databases, or perform unintended requests in order to control the responses of the webserver.
Write Up and Explanation
ESEA SSRF AND QUERYING AWS METADATA
The attacker started doing recon with the following Google Dork in order to obtain extensions of the site with php
in the end.
site:https://play.esea.net/ ext:php
The endpoint that the attacker found was the following.
https://play.esea.net/global/media_preview.php?url=
So, looking at the file name media_preview
the attacker realized that he was able to load pictures into the system, therefore the attacker tried the following.
https://play.esea.net/global/media_preview.php?url=http://ziot.org/1.png
Once the attacker realized the capabilities of the attack, he started looking on how limited it is by injecting XSS payloads, and reading internal files. The attacker tried to link the website with a AWS instance which worked perfectly good in his case where he was able to pull data such as secret keys.
URL: http://169.254.169.254/latest/meta-data/hostname
Response: ec2-203-0-113-25.compute-1.amazonaws.com
Conclusion
There is a great chance to obtain great results by using internet tools and nmap scripting, SSRF has been covered in details in the past blogs, in this case there is the chance to see a capability scope.
Leave a comment