[Dogs](http://doggo.buggywebsite.com/)

# [Dogs](http://doggo.buggywebsite.com/) * https://hackerone.com/bugpoc ## check list 1. https://www.wappalyzer.com/technologies/miscellaneous/amazon-s3/?utm_source=popup&utm_medium=extension&utm_campaign=wappalyzer 2. https://www.wappalyzer.com/technologies/paas/amazon-web-services/?utm_source=popup&utm_medium=extension&utm_campaign=wappalyzer ## DNS record DNS Records for doggo.buggywebsite.com |Hostname| Type| TTL| Content| |---|---|---|---|---| |doggo.buggywebsite.com| |SOA| 899 ns-928.awsdns-52.net awsdns-hostmaster@amazon.com 1 7200 900 1209600 86400| |doggo.buggywebsite.com |NS |1800| ns-1110.awsdns-10.org| |doggo.buggywebsite.com |NS |1800| ns-165.awsdns-20.com| |doggo.buggywebsite.com |NS |1800| ns-1835.awsdns-37.co.uk| |doggo.buggywebsite.com |NS |1800| ns-928.awsdns-52.net| |doggo.buggywebsite.com |A |4 | 52.218.252.114| |doggo.buggywebsite.com |CNAME| 299 | doggo.buggywebsite.com.s3-website-us-west-2.amazonaws.com | links: https://doggo-api.buggywebsite.com/get-dogs http://doggo.buggywebsite.com/script.js http://doggo.buggywebsite.com.s3-website-us-west-2.amazonaws.com/ nslookup doggo.buggywebsite.com Server: 192.168.0.1 Address: 192.168.0.1#53 Non-authoritative answer: doggo.buggywebsite.com canonical name = doggo.buggywebsite.com.s3-website-us-west-2.amazonaws.com. doggo.buggywebsite.com.s3-website-us-west-2.amazonaws.com canonical name = s3-website-us-west-2.amazonaws.com. Name: s3-website-us-west-2.amazonaws.com Address: 52.218.222.2 Address: 52.218.128.11 Address: 52.218.236.114 Address: 52.218.136.122 Address: 52.218.220.74 Address: 52.218.170.83 # so heres question whats diff in s2 n s3 * check this out :https://spyse.com/target/domain/doggo.buggywebsite.com/dns-records ![](https://i.imgur.com/7yUleBN.png) * S3 is simple storage service which is aws service for storing stuff ## PING result ![](https://i.imgur.com/S4ZGgEU.png) ``` traceroute to doggo.buggywebsite.com (52.218.193.3), 30 hops max, 60 byte packets 1 ip-10-0-0-14.ec2.internal (10.0.0.14) 1.226 ms 1.219 ms 1.259 ms 2 216.182.231.116 (216.182.231.116) 19.167 ms 216.182.238.149 (216.182.238.149) 2.490 ms 216.182.238.145 (216.182.238.145) 2.453 ms 3 100.66.13.188 (100.66.13.188) 22.272 ms 100.66.37.172 (100.66.37.172) 54.360 ms 100.66.37.184 (100.66.37.184) 3.879 ms 4 100.66.10.102 (100.66.10.102) 20.836 ms 100.66.60.174 (100.66.60.174) 13.230 ms 100.66.60.182 (100.66.60.182) 13.233 ms 5 244.0.4.200 (244.0.4.200) 1.831 ms 244.0.4.203 (244.0.4.203) 1.907 ms 100.66.62.150 (100.66.62.150) 23.440 ms 6 240.0.40.22 (240.0.40.22) 1.882 ms 244.0.4.204 (244.0.4.204) 19.742 ms 240.0.40.21 (240.0.40.21) 1.120 ms 7 242.0.171.129 (242.0.171.129) 1.383 ms 240.0.40.20 (240.0.40.20) 1.137 ms 242.0.171.129 (242.0.171.129) 1.629 ms 8 52.93.28.169 (52.93.28.169) 1.658 ms 52.93.28.175 (52.93.28.175) 1.628 ms 242.0.171.129 (242.0.171.129) 1.259 ms 9 100.100.6.22 (100.100.6.22) 10.717 ms 100.100.8.24 (100.100.8.24) 1.852 ms 100.100.8.80 (100.100.8.80) 10.234 ms 10 * 100.100.8.108 (100.100.8.108) 9.457 ms 100.100.6.98 (100.100.6.98) 9.355 ms 11 * 100.100.2.119 (100.100.2.119) 81.575 ms 100.100.2.111 (100.100.2.111) 92.726 ms 12 100.100.72.18 (100.100.72.18) 73.472 ms 100.100.89.82 (100.100.89.82) 84.384 ms 100.100.2.87 (100.100.2.87) 73.060 ms 13 100.100.66.2 (100.100.66.2) 84.181 ms 100.100.85.5 (100.100.85.5) 63.669 ms 100.100.76.146 (100.100.76.146) 74.402 ms 14 100.100.92.197 (100.100.92.197) 82.881 ms 100.100.4.86 (100.100.4.86) 82.802 ms 100.100.65.5 (100.100.65.5) 81.563 ms 15 100.100.4.4 (100.100.4.4) 82.235 ms 100.100.4.104 (100.100.4.104) 63.929 ms 100.95.17.8 (100.95.17.8) 80.591 ms 16 100.95.17.2 (100.95.17.2) 72.780 ms 108.166.228.46 (108.166.228.46) 80.772 ms 100.95.17.4 (100.95.17.4) 74.323 ms 17 100.95.1.14 (100.95.1.14) 79.790 ms 108.166.228.44 (108.166.228.44) 64.700 ms 108.166.228.45 (108.166.228.45) 71.156 ms 18 108.166.228.62 (108.166.228.62) 72.348 ms 108.166.228.55 (108.166.228.55) 72.659 ms 108.166.228.54 (108.166.228.54) 77.094 ms 19 100.66.15.31 (100.66.15.31) 93.627 ms 100.66.15.101 (100.66.15.101) 98.068 ms 244.0.1.69 (244.0.1.69) 70.698 ms 20 100.66.14.45 (100.66.14.45) 86.245 ms 100.66.12.125 (100.66.12.125) 94.975 ms 244.0.1.66 (244.0.1.66) 64.727 ms 21 100.66.12.111 (100.66.12.111) 87.576 ms 100.65.24.97 (100.65.24.97) 89.249 ms 100.65.24.225 (100.65.24.225) 90.637 ms 22 100.65.24.225 (100.65.24.225) 93.807 ms 84.827 ms 100.65.25.225 (100.65.25.225) 93.005 ms 23 s3-website-us-west-2.amazonaws.com (52.218.193.3) 73.219 ms 72.100 ms 71.552 ms ``` see no subdomains ![](https://i.imgur.com/OAgDmjG.png) # so we found api end point noow the real game starts https://developer.mozilla.org/en-US/docs/Web/JavaScript ```jsx= const API_ENDPOINT = "https://doggo-api.buggywebsite.com"; async function getURLs(pageNum){ var PARAMS = { 1: "gAAAAABgGg49vp03MkS2gsuz1SLZat7_z36Nkc4I-25X4-RtxXd_pxv964ObmIgunslqWO47kWxCWUSdZVCSlgqGnTi7ekqEaA==", 2: "gAAAAABgGg5OwIOIQGgUJSF_iuwDa8XcB8im0v3l7S-cwZgkufRFsfb5EL4Dawc3ZA_xwyG8BkbIkMnFrl6ACVGzmd_9adDMfA==", 3: "gAAAAABgGg5dGZ3R5ZHcBV3A4L2QM3-LMxsmbLFTSXWmBiXTa9BgAN8ZhmDQDONVaf7VT_s1CMK-uL8huNQy1wwfQovk1t7Jfw==", 4: "gAAAAABgGg5u4W_yBC5YgusPCtmKOtxQYAgo161YK_Njo67ZLo6fGm6nyKwRIQ8divqkUL2mymw2fxeKF_BenpqSo79KuMj6JQ==" }; var param = PARAMS[pageNum]; var endpoint = API_ENDPOINT + '/get-dogs'; let response = await fetch(endpoint, { headers: { 'x-param': param, 'x-fingerprint': localStorage.fingerprint, } }); let data = await response.json() return data['body']; } ...[snip]...(useless) function loadPage(pageNum){ document.querySelector('#theLoader').style.display='inline'; var buttons = document.getElementsByClassName('page-button'); for (var i = 0; i < buttons.length; i++){ buttons[i].disabled = false; } getURLs(pageNum).then(urls => { addImages(JSON.parse(urls)); document.getElementById('button-'+pageNum).disabled = true; document.querySelector('#theLoader').style.display='none'; }) } async function setFingerprint(){ if (localStorage.fingerprint == undefined) { document.querySelector('#theLoader').style.display='inline'; var endpoint = API_ENDPOINT + '/fingerprint'; let response = await fetch(endpoint); let data = await response.json() localStorage.fingerprint = data['fingerprint']; } } ...[snip]...(useless) ``` no useful info by : bypass-403 ```nmap scan:: nmap.exe -p- doggo.buggywebsite.com Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-27 02:53 India Standard Time Nmap scan report for doggo.buggywebsite.com (52.218.209.19) Host is up (0.0078s latency). rDNS record for 52.218.209.19: s3-website-us-west-2.amazonaws.com Not shown: 65533 filtered ports PORT STATE SERVICE 53/tcp open domain (DNS) 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 133.22 seconds ``` ![](https://i.imgur.com/UyS3pHm.png) ![](https://i.imgur.com/63jNybY.png) ``` gAAAAABghxz84r_cQjg3wPwie--tiTTmVvMJ262fermwCxSvkwby00Qcr3WJN9OQkSWgFv_qow_9ik70D3eyr3xS7gA1_m1nXVjwaeCzQ5lh1Ng6wF_u0J-AOULHPrUbuduqp5uGt1hWI3W4FQnYZYawgfz3f8bQ0wWurkBVDITsPkH8i6wNypM= ``` same for all requests, set by the JS code setFingerprint() ![](https://i.imgur.com/ChAOu0i.png) # IMP FINDings * so we can only access api through dogs * https://doggo-api.buggywebsite.com/dogs?page=1 * ans: ![](https://i.imgur.com/0nUv0iX.png) * fingerprint is must #### got server info :awselb/2.0 * Elastic Load Balancing offers four types of load balancers that all feature the high availability, automatic scaling, and robust security necessary to make your applications fault tolerant. ![](https://i.imgur.com/lNsEWIF.png) ``` nmap -A -p- doggo.buggywebsite.com Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 17:16 EDT Nmap scan report for doggo.buggywebsite.com (52.218.168.58) Host is up (0.24s latency). rDNS record for 52.218.168.58: s3-website-us-west-2.amazonaws.com Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Amazon S3 httpd |_http-server-header: AmazonS3 |_http-title: Doggos ``` ## POssible entry point ![](https://i.imgur.com/EwIQs06.png) ![](https://i.imgur.com/sK83tMO.png) ![](https://i.imgur.com/y535hCF.png) ![](https://i.imgur.com/Vf4k84F.png) ## refernce : * https://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html * https://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPOST.html * https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/index.html * https://docs.aws.amazon.com/code-samples/latest/catalog/python-apigateway-websocket-lambda_chat.py.html * https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html # error from API https://stackoverflow.com/questions/40988051/getting-message-forbidden-reply-from-aws-api-gateway https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-troubleshoot-403-forbidden/