Needle In A Haystack: Deep dive into subdomain enumeration using OSINT Tools

Challenge -> https://cloudsecuritychampionship.com/challenge/4

Overview:

#

Enumerate hidden domains using OSINT tools and exploit misconfigured services to gain access to the flag.

Defensive Gap: Lack of supply chain security and API security.

Mitigation: Enforce API authentication and authorization endpoints and implement server-side verfication for valid data.

Key Techniques Demonstrated:

#

1. Subdomain and endpoint Enumeration
2. Code review
3. Exploitating trust in supply chain

Given to us:

#

1. Website endpoint for ackme-corp (ackme-corp.net)
2. OSINT Tools:
   1. massdns
   2. subfinder
   3. ffuf
   4. curl
   5. httpx
   6. host
   7. nslookup
   8. dig
3. Wordlist and resolver:
   1. /opt/wordlists/subdomain-wordlist.txt
   2. /opt/wordlists/api-objects.txt
   3. /opt/massdns/trusted-resolver.txt

Subdomain Enumeration:

#

Subfinder:

#

1. Subfinder uses passive enumeration techniques to enumerate subdomains. However, this wasn’t working by default it’s passive: it aggregates from data sources (crt.sh, AlienVault, etc.). If the subdomains are new, private, or rarely seen, those sources may not have them yet.

subfinder -d ackme-corp.net

ffuf:

#

1. I used ffuf to enumerate the subdomain, this time I used the given wordlist to enumerate subdomains. But, I didn’t get any results.

ffuf -w /opt/wordlists/subdomain_wordlist.txt -u https://FUZZ.ackme-corp.net

Github:

#

1. Since subdomain enumeration wasn’t working, I went through the challenge description once again. The sentence “a weekend side-project” caught my attention, usually when working on projects or side-projects developers use VCS platforms to maintain their code base.

2. I simply searched for ackme-corp.net in GitHub and got a hit, a user named alejandro-pigeon had commited CNAME text files to his directory. Checking out all the previous commits of the user I found some interesting domains.

3. However, one of the domain (....paramount[.]tech) was out of scope and the other (testing.internal.ackme-corp.net) didn’t resolve to anything. Just to be sure that testing.internal.ackme-corp.net is active I used dig, the status of the query says NOERROR, this means DNS query was successfully completed. NXDOMAIN means that the domain wasn't found. However, the query didn’t return any A, CNAME, or AAAA record. This means the domain is incomplete.

4. While going through the commits there was a pattern. The domain for paramount(.)tech and 4 prefixes. This gave me an idea to bruteforce 2 prefixes for testing.internal.ackme-corp.net as we already had found 2 prefixes that worked.

5. I used ffuf to bruteforce these 2 fields but this would take a long time.

make_subdomain:

#

1. This is a script to create a list of subdomains. The intial approach was to create a list with 2 prefixes but it will exceed the file size limit. So, run the the script with --depth 1.

Massdns:

#

1. Pass the newly, created subdomain list to massdns, and stored it in json format beacuse it is easy for quering the data using jq.

./make_subdomains.sh -w /opt/wordlists/subdomain-wordlist.txt -d testing.internal.ackme-corp.net --depth 1 -o subs.txt

massdns -r /opt/massdns/trusted-resolvers.txt subs.txt -o J -w testing.json

2. Querying the data resolved by massdns, only for records without status:NXDOMAIN. Gave me a prefix, that returned staus:NOERROR this means I will have to dig deeper. The subdomain I got was pprod.testing.internal.ackme-corp.net.

#find records that has status != NXDOMAIN
jq 'select(.status != "NXDOMAIN")' testing.json

3. Repeating steps 1 & 2, I was finally able to find a FQDN that returned record of type A. The FQDN is coding.pprod.testing.internal.ackme-corp.net.

Vibe-coding:

#

ffuf:

#

1. I enumerated directories for coding.pprod.testing.internal.ackme-corp.net using ffuf and /opt/wordlist/api-object.txt, found the following directories:

   1. chat
   2. login
   3. static

2. However, you need to have a valid credentials to login and the mail should end with @ackme-corp.net. It is not vulnerable to SQLi, command injection, and bruteforcing is not a valid option.

3. When I was exploring the page source I found two interesting things:

   1. The Url to another website https://www.vibecodeawebsitetoday.com, in the challenge description it does say that the developer was vibe coding. Maybe he used this service provider for his vibe coding session.

   

   2. The email field is validated on the client side, we can easily bypass this validation using proxy.

   

Unauthenticated API request:

#

1. Fuzzed the directories and found /docs on https://www.vibecodeawebsitetoday.com.

2. There was an interesting endpoint /api/apps/{app_id}/register, according to the description it looks like you can register to an app if you have an app_id. In the page source code we did find an app-id. We can use this api endpoint to create a registered user for coding.pprod.testing.internal.ackme-corp.net.

3. When I tried creating a user with @ackme-corp.net, it asked me to use internal portal for authentication.

4. I was able to successfully create a user with any other mail except ackme-corp.net.

Flag:

#

1. I was able to login with the newly created user after editing the request via proxy.

2. Yay, I logged in successfully and was able to retrieve the flag.