DEV Community

Cover image for Unveiling the Unseen: A Journey from Simple Recon Using Shodan to Leaking AWS Secrets
TECNO Security
TECNO Security

Posted on

Unveiling the Unseen: A Journey from Simple Recon Using Shodan to Leaking AWS Secrets

The world of bug bounty hunting is filled with thrilling moments when some simple recon techniques lead to a major vulnerability discovery. Omar Sha Rafi from Bangladesh shares with us the process of discovering and exploiting multiple vulnerabilities in a popular music streaming platform. Due to the confidentiality of the program, all sensitive details such as domain names, IP addresses, and credentials have been redacted.

Summary:

● Found an exposed IP via Shodan and identified open ports using Naabu, leading to further investigation.

● Discovered admin email leakage and internal app details through brute forcing directories.

● Downloaded and Decompiled an APK that uncovered hardcoded AWS credentials, enabling unauthorized access to S3 buckets.

  • Part 1: The Starting Point – Shodan Search and Discovering the Origin IP
  • Part 2: Full Port Scanning with Naabu
  • Part 3: Directory Brute forcing with Ffuf
  • Part 4: Leaking PII – The Users Endpoint
  • Part 5: Exposing Development Information – The Apps Endpoint
  • Part 6: Decompiling the APK and Finding Exposed AWS Keys
  • Part 7: Using AWS CLI to Access S3 Buckets
  • Part 8: Root Cause of the Vulnerability
  • Part 9: Protection Measures for AWS Keys

User activity: Follow @TecnoSRC and like this post, we will randomly select 10 users to give away 10 security credits!

Billboard image

Synthetic monitoring. Built for developers.

Join Vercel, Render, and thousands of other teams that trust Checkly to streamline monitor creation and configuration with Monitoring as Code.

Start Monitoring

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay