DEV Community

Cover image for Unveiling the Unseen: A Journey from Simple Recon Using Shodan to Leaking AWS Secrets
TECNO Security
TECNO Security

Posted on

Unveiling the Unseen: A Journey from Simple Recon Using Shodan to Leaking AWS Secrets

The world of bug bounty hunting is filled with thrilling moments when some simple recon techniques lead to a major vulnerability discovery. Omar Sha Rafi from Bangladesh shares with us the process of discovering and exploiting multiple vulnerabilities in a popular music streaming platform. Due to the confidentiality of the program, all sensitive details such as domain names, IP addresses, and credentials have been redacted.

Summary:

● Found an exposed IP via Shodan and identified open ports using Naabu, leading to further investigation.

● Discovered admin email leakage and internal app details through brute forcing directories.

● Downloaded and Decompiled an APK that uncovered hardcoded AWS credentials, enabling unauthorized access to S3 buckets.

  • Part 1: The Starting Point – Shodan Search and Discovering the Origin IP
  • Part 2: Full Port Scanning with Naabu
  • Part 3: Directory Brute forcing with Ffuf
  • Part 4: Leaking PII – The Users Endpoint
  • Part 5: Exposing Development Information – The Apps Endpoint
  • Part 6: Decompiling the APK and Finding Exposed AWS Keys
  • Part 7: Using AWS CLI to Access S3 Buckets
  • Part 8: Root Cause of the Vulnerability
  • Part 9: Protection Measures for AWS Keys

User activity: Follow @TecnoSRC and like this post, we will randomly select 10 users to give away 10 security credits!

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay