1
00:00:02,250 --> 00:00:04,830
Hello, everyone, welcome to this video.

2
00:00:05,460 --> 00:00:13,740
In this video, we are going to see one more AWS subdomain take-over just to make sure that we have

3
00:00:13,740 --> 00:00:15,440
understood how to do this.

4
00:00:15,780 --> 00:00:22,800
We are going to see one more target and we are going to repeat the steps very quickly of how to do this.

5
00:00:23,400 --> 00:00:25,580
So the process remains exactly the same.

6
00:00:25,770 --> 00:00:33,810
But for those who want to see once again how to do the steps, they can see this other can skip because

7
00:00:34,080 --> 00:00:35,790
the process is somewhat the same.

8
00:00:37,020 --> 00:00:37,520
All right.

9
00:00:37,680 --> 00:00:46,660
So now once you have logged in over here, this is how the AWS management console looks like over here.

10
00:00:46,680 --> 00:00:48,350
You have to search for S3.

11
00:00:48,870 --> 00:00:50,880
I have already visited S3.

12
00:00:50,880 --> 00:00:55,680
So it is going to show me recently visited services for you.

13
00:00:56,310 --> 00:01:02,580
If you are logged in for the first time, you just need to search S3 over here and you will be get you

14
00:01:02,580 --> 00:01:06,900
will be able to get it, as can see, storage S3 as shown over here.

15
00:01:08,010 --> 00:01:10,800
So you can alternatively click over here as well.

16
00:01:11,430 --> 00:01:11,870
All right.

17
00:01:12,210 --> 00:01:20,220
So I have identified a subdomain which you can see over here, which is Add-Ons dot keppt dot com, and

18
00:01:20,220 --> 00:01:25,740
you can see the error message, which we call our fingerprint, which is no such bucket.

19
00:01:26,070 --> 00:01:28,410
The specified bucket does not exist.

20
00:01:29,100 --> 00:01:36,420
Now, you can notice over here the message is exactly the same, but it is looking different because

21
00:01:36,420 --> 00:01:44,680
in the previous video, the message was in XML version format and here it is not ,this is only the difference.

22
00:01:44,820 --> 00:01:49,100
That is why I said you need to focus on to the fingerprint.

23
00:01:49,350 --> 00:01:52,410
So the fingerprint is exactly the same, which is no such bucket.

24
00:01:52,440 --> 00:01:54,960
The specified bucket does not exist.

25
00:01:55,410 --> 00:02:02,220
And through this we can confirm that this particular subdomain is of one subdomain and it is pointing

26
00:02:02,220 --> 00:02:03,200
to A.W.S..

27
00:02:03,720 --> 00:02:04,130
All right.

28
00:02:04,380 --> 00:02:06,780
So I'm going to create a bucket.

29
00:02:07,080 --> 00:02:14,940
Remember, whenever you're going to create bucket A.W.S is bucket creation process does not like special

30
00:02:14,940 --> 00:02:19,430
characters like HTTP colon slash slash

31
00:02:19,440 --> 00:02:23,670
So you have to remove that and you have to give your bucket name now.

32
00:02:24,710 --> 00:02:27,260
Choosing the region is very, very important.

33
00:02:27,590 --> 00:02:33,290
So, again, how to choose a region, you just need to open up your terminal.

34
00:02:33,470 --> 00:02:39,760
You need to type the command dig Cname because we want to see the name of that particular subdomain.

35
00:02:40,100 --> 00:02:49,910
And you can see from here we have identified the Cname of this subdomain is S3 website hyphen us hyphen

36
00:02:49,910 --> 00:02:54,410
East hyphen one dot Amazon A.W.S dot com.

37
00:02:54,800 --> 00:02:58,240
So the region is basically US east one.

38
00:02:58,910 --> 00:02:59,420
All right.

39
00:02:59,450 --> 00:03:04,700
So once we have identified the correct region, we have to choose the bucket.

40
00:03:05,090 --> 00:03:07,820
So let me go to US east.

41
00:03:07,820 --> 00:03:13,470
As you can see, there is U.S. east North Virginia and U.S. East Ohio.

42
00:03:13,880 --> 00:03:20,960
So from both of them, we can choose one of the region, but we do not know which is the right region.

43
00:03:22,700 --> 00:03:23,150
So.

44
00:03:25,380 --> 00:03:35,280
We will take help of a A.W.S. documentation, so let's go to A.W. documentation, so I'm going to go to

45
00:03:35,280 --> 00:03:43,050
A.W.S Documentation and from here I am going to see that which region points to which code.

46
00:03:43,530 --> 00:03:47,510
As we have seen, the code for us was U.S east 1.

47
00:03:49,880 --> 00:03:59,390
Now, over here, let's search for US east one, and you can see that US East one code is for north

48
00:03:59,390 --> 00:04:00,140
of Virginia.

49
00:04:00,530 --> 00:04:01,010
All right.

50
00:04:01,310 --> 00:04:05,670
So we have identified the correct region name according to the code.

51
00:04:06,050 --> 00:04:09,560
So let me choose that and hit next.

52
00:04:09,740 --> 00:04:17,200
Once I will hit next, I will go to the next option I have done versioning ON, it is optional.

53
00:04:17,210 --> 00:04:20,670
If you do not want to turn it ON, then you can leave it blank.

54
00:04:20,690 --> 00:04:28,070
That is only for taking all the versioning logs of whatever activities that is happening into your bucket.

55
00:04:28,730 --> 00:04:35,960
Now you have to uncheck this block all public access, which makes our bucket publicily accessible and

56
00:04:35,960 --> 00:04:38,600
available for everyone to view.

57
00:04:39,200 --> 00:04:43,640
Now, once you have done that, you need to go to add ons dot keppt dot com.

58
00:04:43,670 --> 00:04:44,920
That is your bucket name.

59
00:04:45,380 --> 00:04:47,470
Then you have to upload a file.

60
00:04:47,480 --> 00:04:50,660
So I'm going to upload a file quickly over here and hit.

61
00:04:51,860 --> 00:04:57,380
Upload, so once you do this, the file will get uploaded, as you can see, it is in progress right

62
00:04:57,380 --> 00:04:57,660
now.

63
00:04:57,950 --> 00:05:01,940
Once that is done, you will be able to see your message, which is success.

64
00:05:02,690 --> 00:05:07,130
Let's wait for this to get uploaded and you can see it is successfully uploaded.

65
00:05:07,910 --> 00:05:14,570
Now, I need to make this file public, so I will click on it and click on Make Public.

66
00:05:15,170 --> 00:05:17,090
Now I will go in.

67
00:05:18,210 --> 00:05:26,640
Overview and go back to the bucket, the main thing to do over here is to perform static website hosting.

68
00:05:27,010 --> 00:05:33,750
So let me just click on static website hosting and let me do the next steps again.

69
00:05:33,760 --> 00:05:41,520
Remember, this server access logging option is purely optional and I will not recommend to do this

70
00:05:41,520 --> 00:05:46,380
because it is going to create a lot of logs into your bucket.

71
00:05:48,440 --> 00:05:54,560
I just wanted to see what are the logs that are being created into my bucket so I choose that particular

72
00:05:54,560 --> 00:05:57,210
option that is optional, you can skip it as well.

73
00:05:57,710 --> 00:06:03,650
Now, after going to the static website hosting, I'm going to choose the redirect request and I'm going

74
00:06:03,650 --> 00:06:06,790
to give the sub domain name, as you can see over here.

75
00:06:07,730 --> 00:06:14,940
Now, after I have given the sub domain name, you need to choose the protocol that is HTTP and hit,

76
00:06:14,960 --> 00:06:15,330
OK?

77
00:06:16,740 --> 00:06:19,410
Now, these are only the steps that you need to do.

78
00:06:20,660 --> 00:06:27,110
Now, also, we have given the public access to this, let me create or let me click on this particular

79
00:06:27,110 --> 00:06:31,910
link and you can see we are able to see the bucket. Now

80
00:06:31,910 --> 00:06:39,260
You can see over here we are able to see error, which is too many redirect, maybe because it is redirecting

81
00:06:40,190 --> 00:06:42,270
internally to our bucket.

82
00:06:42,650 --> 00:06:50,510
So if you see a case like this, then you just have to wait for some time and again, try to open that

83
00:06:50,510 --> 00:06:53,700
particular subdomain, which would fix the issue for you.

84
00:06:54,530 --> 00:07:02,630
So I tried this after some time and I was able to successfully see that the subdomain was pointing correctly

85
00:07:02,870 --> 00:07:06,610
and I was able to see the content that I hosted over there.

86
00:07:08,090 --> 00:07:13,050
So I hope you guys understood how to do subdomain takeover's for A.W.S..

87
00:07:13,420 --> 00:07:13,970
Thank you.