# ================================================================
# Attack path: Subdomain takeover for credential phishing
# Difficulty: easy  ·  Cloud: multi  ·  Est. time: 15 min
#
# Starting position: Anonymous internet user, target's public DNS records visible.
# Objective:         Serve attacker-controlled HTML from a subdomain of the target's primary domain.
#
# Playbook:
#   1. Enumerates subdomains with `subfinder` / Amass. `promo.<target>.com` resolves to a CNAME pointing at `<target>-deleted-bucket.s3.amazonaws.com`.
#   2. Tries to GET the bucket — receives `NoSuchBucket`. Registers a new S3 bucket with the exact name in their own account.
#      exploits: NET-201
#   3. Uploads `index.html` containing a credential-phishing form. Victims now load attacker content from a domain they trust.
#      exploits: NET-201
#
# Cleanup: terraform destroy -auto-approve   (or: aws cloudformation delete-stack)
# ================================================================

terraform {
  required_providers {
    aws    = { source = "hashicorp/aws",    version = "~> 5.0" }
    random = { source = "hashicorp/random", version = "~> 3.6" }
  }
}

provider "aws" {
  region = "us-east-1"
}

resource "random_id" "suffix" {
  byte_length = 4
}

# Dangling DNS record
# vulnerabilities: NET-201
resource "aws_route53_zone" "net_dangling_dns" {
  name = "vbuild-example.com"
}

# NET-201: CNAME points at a deleted S3 bucket. An attacker can re-register the
# bucket name "vbuild-deleted-bucket" and hijack promo.vbuild-example.com.
resource "aws_route53_record" "net_dangling_dns" {
  zone_id = aws_route53_zone.net_dangling_dns.zone_id
  name    = "promo.vbuild-example.com"
  type    = "CNAME"
  ttl     = 300
  records = ["vbuild-deleted-bucket.s3.amazonaws.com"]
}