1
00:00:00,790 --> 00:00:03,550
Hello, everyone, and welcome to this video.

2
00:00:04,420 --> 00:00:10,240
So in this video, we are going to see a life of exploitation of one of the broken link highjacking.

3
00:00:11,200 --> 00:00:19,780
So I am want to get up dotcom and I have searched for a query, which is S3 Dot Amazon, a W.S. dot

4
00:00:19,780 --> 00:00:20,130
com.

5
00:00:20,620 --> 00:00:28,430
So this is a specific query which meets 232 repository results, as you can see over here.

6
00:00:29,070 --> 00:00:36,470
Now, these are all the repositories which contains the keyword, which is S3, DOT, Amazon, W.S.,

7
00:00:36,500 --> 00:00:38,750
as you can see here already.

8
00:00:38,980 --> 00:00:44,830
So we are going to see one of the broken link highjacking in which we are able to solve our malicious

9
00:00:44,980 --> 00:00:50,050
content to all the users who access the specific repository.

10
00:00:51,130 --> 00:00:57,010
So, for instance, what I'm going to do over here is after a search, this query, I'm going to take

11
00:00:57,010 --> 00:01:06,520
this first repository, which is Emmis Catalogue, dot S3, Amazon, A.W. s dot com slash index, dot

12
00:01:06,520 --> 00:01:07,210
HDMI.

13
00:01:07,960 --> 00:01:08,470
All right.

14
00:01:08,480 --> 00:01:11,370
So let's copy and paste this over here.

15
00:01:11,650 --> 00:01:17,260
And when I paste this, you can see an error message which says no such bucket.

16
00:01:17,800 --> 00:01:19,330
Now, if you try to recall.

17
00:01:20,320 --> 00:01:28,660
Then we have seen the similar type of example in the Facebook broken link hijacking command indication

18
00:01:28,660 --> 00:01:29,060
video.

19
00:01:29,470 --> 00:01:37,750
So here we have the similar scenario in which it is pointing to one of the AWB bucket, but it is not

20
00:01:38,020 --> 00:01:38,710
created.

21
00:01:39,100 --> 00:01:39,490
All right.

22
00:01:39,490 --> 00:01:43,920
So we are going to create a bucket over there being an attacker.

23
00:01:45,690 --> 00:01:53,130
So now let's quickly jump over here and try to open the repository, so let's see what the repository

24
00:01:53,130 --> 00:01:53,650
looks like.

25
00:01:53,670 --> 00:02:00,750
So there are a lot of files which have been successfully created and so much of the stuff and all of

26
00:02:00,750 --> 00:02:04,160
these files are pointing to Ms.

27
00:02:04,170 --> 00:02:07,080
Hyphen catalog DOT, Amazon AWG.

28
00:02:07,860 --> 00:02:13,510
Now, we know over here that Amus hyphen catalog is the bucket name.

29
00:02:13,530 --> 00:02:20,200
So let's quickly create a bucket name with the same name, which is Emmis Hyphen catalog.

30
00:02:20,230 --> 00:02:25,800
So yeah, let us see if it is allowing us to create a name in the region.

31
00:02:25,800 --> 00:02:27,790
You can choose any region that you want.

32
00:02:28,050 --> 00:02:29,760
So I'm just giving it to default.

33
00:02:30,160 --> 00:02:33,780
Remember, A.W. Blue Bucket are independent of region.

34
00:02:34,380 --> 00:02:38,430
You can choose any region and the buckets will be successfully created.

35
00:02:38,850 --> 00:02:39,290
All right.

36
00:02:39,300 --> 00:02:49,710
So let's turn the block all public access because I want everyone to access the bucket list for the

37
00:02:49,710 --> 00:02:50,490
proof of concept.

38
00:02:50,720 --> 00:02:52,890
Then later on, I'm going to let the bucket.

39
00:02:53,730 --> 00:02:54,200
All right.

40
00:02:54,210 --> 00:03:00,540
So here you can see we have successfully created a bucket and now it's time to upload something into

41
00:03:00,540 --> 00:03:03,190
the bucket to show a proof of concept.

42
00:03:03,900 --> 00:03:04,310
All right.

43
00:03:04,320 --> 00:03:07,980
So let's quickly upload a file into the bucket.

44
00:03:08,580 --> 00:03:16,350
And, yeah, I can notice a lot of UI has been changed on the W.S. console since I have visited this

45
00:03:16,650 --> 00:03:17,170
last.

46
00:03:17,340 --> 00:03:21,540
So it looks pretty clean and nice this time.

47
00:03:22,260 --> 00:03:22,680
All right.

48
00:03:22,690 --> 00:03:29,550
So you can see we have uploaded a file which is spacy dot to successfully it has uploaded.

49
00:03:29,830 --> 00:03:30,450
So.

50
00:03:31,180 --> 00:03:31,740
All right.

51
00:03:31,750 --> 00:03:38,010
So I'm going to upload one more fight with this course because erotics in case we need that or just

52
00:03:38,010 --> 00:03:45,330
leave one file, which is buzy, not the 60 or so just hit on upload and it will be successfully uploaded

53
00:03:45,840 --> 00:03:51,930
by says you must check box that it doesn't want to have Buckett versioning.

54
00:03:51,930 --> 00:03:54,180
And so we do not want to enable any.

55
00:03:55,260 --> 00:04:02,530
So it was it is only Creation's and it is an HTML version if any requests are being sent to your bucket.

56
00:04:03,030 --> 00:04:04,530
So we do not want to do that.

57
00:04:05,310 --> 00:04:12,060
And you can see my file is successfully into the bucket and again, see the bucket you are, which is

58
00:04:12,060 --> 00:04:12,930
given over here.

59
00:04:13,500 --> 00:04:17,800
This is exactly the same that we got into our previous Facebook video.

60
00:04:18,570 --> 00:04:19,010
All right.

61
00:04:19,020 --> 00:04:20,160
So you can see the object.

62
00:04:20,160 --> 00:04:21,390
You are Ms.

63
00:04:21,390 --> 00:04:30,080
Hyphen catalog dot s3 dot eppy hyphen s hyphen Weingard, Amazon dot com slash U.S. dot.

64
00:04:30,750 --> 00:04:38,220
Let's try to open it and you can see we opened it but we got an error and it is access denied access

65
00:04:38,220 --> 00:04:42,330
denied messages due to we have not allowed the public access.

66
00:04:43,870 --> 00:04:48,040
So once we give the public access, now we are able to successfully open it.

67
00:04:49,270 --> 00:04:53,120
Now let's see if the changes reflect over here or not.

68
00:04:53,380 --> 00:04:55,560
So it again says access denied.

69
00:04:56,020 --> 00:04:59,460
First, the message was no such pocket.

70
00:04:59,470 --> 00:05:03,260
And now you can see the message has changed to access denied over here.

71
00:05:03,460 --> 00:05:03,870
All right.

72
00:05:03,880 --> 00:05:11,410
Which means the bucket has been successfully claimed by us guys and we have posted the content into

73
00:05:11,410 --> 00:05:11,650
it.

74
00:05:11,650 --> 00:05:16,060
And the file which is posted or not indexed, not HDMI.

75
00:05:16,510 --> 00:05:23,050
That's why it is giving added, which is access denied because there is no such file like indexed card

76
00:05:23,080 --> 00:05:23,780
XHTML.

77
00:05:23,800 --> 00:05:26,700
There is only one file which is not the.

78
00:05:27,670 --> 00:05:35,800
So now what we are going to do is we are going to rename the file, which is Pewsey to index dot HDMI.

79
00:05:36,430 --> 00:05:38,890
So let me just skip this part of the video.

80
00:05:40,640 --> 00:05:46,550
So I'm changing the bucket settings to public, and you have to conform for that already, it's already

81
00:05:46,550 --> 00:05:47,300
confirmed.

82
00:05:47,300 --> 00:05:54,850
And now I'm going to rename the file of Butyrate 62 in next hour.

83
00:05:55,580 --> 00:06:02,480
So you need to select that file going actions, choose rename first time making it public.

84
00:06:03,550 --> 00:06:08,410
So it is accessible by everyone and now it is accessible, right?

85
00:06:10,700 --> 00:06:18,740
So you can see in next door, which is not accessible, but because it is accessible, because it is

86
00:06:18,740 --> 00:06:24,440
the file which is there onto the bucket, but there is no such Filkin next door estimate, so let's

87
00:06:24,440 --> 00:06:27,240
quickly create an index file as well.

88
00:06:27,590 --> 00:06:29,330
So let's quickly rename this.

89
00:06:33,200 --> 00:06:43,310
So go to actions and click on rhenium object and give the final game of butyrate to index dot HDMI and

90
00:06:43,310 --> 00:06:44,500
hit Save Genius.

91
00:06:44,540 --> 00:06:50,920
All right, so now let's hope we are able to successfully claim this link.

92
00:06:51,170 --> 00:06:56,650
So let's go to this link and let's see the malicious content and it looks perfectly fine.

93
00:06:57,080 --> 00:07:04,100
So, yes, guys, I hope you guys understood how you can take over these bucket names and these links

94
00:07:04,670 --> 00:07:07,340
where they are being pointed but never claimed.

95
00:07:07,340 --> 00:07:13,800
And this was the successful exploitation of broken link hijacking of the entire repository.

96
00:07:14,060 --> 00:07:15,420
So I hope you guys understood.

97
00:07:15,620 --> 00:07:16,220
Thank you.