Posts

Hunting on memcached servers: Dumping data

Image
What is a Memcached server? Memcached servers are used to store and retrieve data in the form of key-value pairs. When client requests for data from server, its checks for the data stored in the cache. If the data is available, it is loaded into the memory. If the data is not present, the server fetches it from the backend storage and stores it in its cache for future requests. So, it is used to speedup the web application by reducing the database load. LETS DISCUSS! Today we will be discussing on my recent bounty i got for key dumping from an open memcached server. I got an ip from censys search which is targets ip. So as an initial recon i used nmap for scanning the ip. nmap IPADDRESS -Pn from initial scan i was able to find a port 11211 which is Memcached!! So i started pentesting on the server to retrieve data if it has no authentication. For confirmation i tried to connect the Memcached server via Telnet. telnet IPADDRESS 11211 Wow! I was able to connect to the server without a

Playing With S3 Part 2

Image
     S3 Bucket Enumeration Via Response   Hi Hackers, In this article, I will be talking about one of my recent find on a program triaged as critical.Target "redacted.com" was a large scope and was using amazon web services. You can find previous article on s3 bucket enumeration here   After enumerating subdomains using subfinder , I randomly visited all subdomains and my burpsuite was running in background. After sometime i just visited my burpsuite's HTTP history tab where i can list of all of the requests that i have made and the responses received.   Here i went to BURP tab > search and searched keyword    "amazonaws.com"  Here you can see one of the s3 bucket using by redacted.com was leaking in response. Just copied this URL and paste it in browser.   Eg: http://bucket. s3.amazonaws.com/attachment. jpg   The s3 bucket was Open to public and was leaking user attachments, bills, identity cards, etc.. Now i need to check for another privileges like uploadi

Playing With s3 Leaks

Image
Hi Everyone, My name is Aswin Thambi Panikulangara (R0074G3N7). In this writeup, I will be sharing my technique of enumerating s3 buckets, finding misconfigurations, and recent bug I found in a public program(P1). Tools :  Subfinder ,  Ffuf ,  waybackurls *.redacted.com is in scope. As usual, I started with subdomain enumeration, for subdomain enumeration I usually use  subfinder. subfinder -d redacted.com > subdomains.txt Now I used f fuf  for Fuzzing and enumerating s3 buckets. ffuf -u  http://FUZZ.s3.amazonaws.com  -w subdomains.txt After fuzzing got 5 buckets. Four of them were denied access and one was open. Bucket was like  : sub.redacted.com.s3.amazonaws.com So I need to confirm this bucket belongs to redacted.com. I used waybackurls this time. cat subdomains.txt | waybackurls | grep s3.amazonaws After seeing this just tried to list the bucket. aws s3 ls s3://sub.redacted.com Bucket listed successfully!!! It was leaking tons of private pictures of users where anyone can acces