Phase 2 — Active Recon
Date: 2026-04-26 Mode: Conservative (10 req/s, non-intrusive scripts only, no brute / DoS) Tools run: httpx (JSONL), dig (A/AAAA/CNAME), openssl x509 (SSL cert SAN harvest), curl (content discovery), Jira REST API /serverInfo, nmap top-1000 T2 (in progress)
What was tested
- DNS resolution on 76 hostnames (75 from Phase 1 +
superadmin.corezoid.com) - HTTP/HTTPS probe with full fingerprinting (title, tech stack, TLS version+cert, favicon hash, JARM) on all 76
- SSL cert subject + SAN harvest from all 76
- Content-discovery passive probe (robots.txt, security.txt, sitemap.xml, .well-known/*, .git/config, .env, .DS_Store, swagger/openapi variants, actuator endpoints, metrics, server-status, AI plugin manifest) on top 10 hosts
- Jira version fingerprint via unauth REST API call
- OpenVPN-AS version fingerprint via HTTP response header
- Active probing of the suspected k8s control plane on
track.pre.corezoid.com(unauth/healthz,/readyz,/livez,/api,/apis,/version) - Nmap top-1000 TCP scan on 7 P0 hosts (background, in progress)
Hostname resolution summary
- 28 HTTP-alive hosts (see httpx JSONL for details)
- 48 hostnames return NXDOMAIN or don't have A records (wildcard DNS doesn't mean the service is live)
superadmin.corezoid.com— NXDOMAIN, does not exist. Listed in engagement scope but not deployed.k8s.dev.corezoid.com— NXDOMAIN (no A record)- Most hosts sit behind AWS ELB in
eu-west-1 - Several CDN-fronted hosts behind CloudFront
DNS observations
admin-pre.corezoid.com→ internal ELB with RFC1918 IPs in public DNS (10.50.0.0/16) — filed as CRZ-001book.corezoid.com→ 4 IPs in3.174.230.0/24— unusual, AWS Global Accelerator anycastgit.corezoid.com→awsglobalaccelerator.comCNAME — internal git behind AWS GAsimulator.companyandcorezoid.comshare the same 3 ELB IPs — shared ALBadmin.corezoid.com/api.corezoid.com/openapi.corezoid.com/ws.corezoid.comall share the samemw-prod-alb-1-corezoid-public-1545801668ALB — routing by Host header
Tech fingerprinting highlights
| Host | Server | Tech stack | Notes |
|---|---|---|---|
jira.corezoid.com |
— | Atlassian Jira 7.12.3 (2018-10-12) | CRITICAL — CRZ-006 |
track.pre.corezoid.com |
kube-apiserver | Kubernetes API (EKS pre-prod) | HIGH — CRZ-002 |
vpn.corezoid.com |
OpenVPN-AS | OpenVPN Access Server | Info — CRZ-005 |
doc.corezoid.com |
ESF | Redirects to Google Doc | Info — CRZ-004 |
widget.simulator.company |
nginx (default welcome) | — | Low — CRZ-003 |
admin.corezoid.com |
nginx | GA, HSTS | Main admin UI |
account.corezoid.com |
— | HSTS | Auth / SSO |
corezoid.com / www.corezoid.com /
new.corezoid.com |
nginx | Gatsby 2.13.65, React, Webpack | Marketing site |
api.corezoid.com |
nginx | Gatsby 2.13.65, React | Same Gatsby as marketing (unusual for API) |
openapi.corezoid.com |
nginx | Redoc (OpenAPI rendering) | Reference docs only |
book.corezoid.com |
AmazonS3 | S3-hosted static site | Public S3 bucket (expected) |
market.corezoid.com |
nginx | React, S3 | Marketplace |
simulator.company |
— | Next.js, React | Marketing (Next) |
sim.simulator.company |
— | HSTS | Simulator UI |
doc.simulator.company |
AmazonS3 | Public S3 bucket | Serves REST API docs |
SPA catch-all routing observation
Multiple SPA-backed hosts return 200 OK with
index.html for every path (including
/.env, /.git/config,
/actuator/env, /swagger.json,
/.DS_Store). This is NOT a leaked file — it's the SPA
fallback routing. However, it:
- Defeats naive content-discovery tools
- Causes search engines to index
/admin/.envas "Corezoid admin page" - Breaks WAF rules that trigger on 404 for
/.env - Is a Low-severity misconfig — should return 404 for
clearly-invalid paths (static files like
.env,.git/*) while still serving SPA for valid routes
What's still running (background)
nmap -Pn -sT -T2 --top-ports 1000 -sV --script 'default and not (intrusive or dos or brute)'on 7 P0 hosts (track.pre, vpn, jira, admin-oleg.dev, confluence-ferma, admin-pre, corezoid-ma.dev). Output intools-out/nmap-p0.{nmap,xml,gnmap}.- SSL cert SAN harvest completed — no new subdomains discovered beyond
the wildcard
*.corezoid.comand*.simulator.companyACM certs.
Findings filed in Phase 2
| ID | Severity | Title |
|---|---|---|
| CRZ-001 | Low | RFC1918 IPs in public DNS (admin-pre) |
| CRZ-002 | High | Public Kubernetes API server (EKS pre-prod) |
| CRZ-003 | Low | Default nginx welcome on widget.simulator.company |
| CRZ-004 | Info | Public Google Doc as product docs |
| CRZ-005 | Info | OpenVPN-AS version fingerprint |
| CRZ-006 | 🔴 CRITICAL | Jira Server 7.12.3 (2018) — unauth RCE (CVE-2019-11581 et al.) |
Next phase
Phase 3 — Authenticated web app testing. HAR file
replay on admin.corezoid.com and
mw.simulator.company to probe IDOR, BOLA, authz bypass,
stored XSS. Awaiting CTO go-ahead per phase-gated
RoE.
Also awaiting CTO decision on CRZ-006 Jira critical — options:
- Confirm PoC of CVE-2019-11581 (low-impact canary) before filing final report
- Skip PoC, accept the version-disclosure finding as sufficient evidence, file report as-is
- Immediate patch / offline Jira — skip further testing and remediate first