Efficient methodology to get P2 level - subdomain takeover vulnerability
Hello Guys, I’m Suprit a cybersecurity enthusiast and researcher. This is mine first blog and I’m going to explain how I was able to hack a subdomain of an organization with mine easy and efficient methodology.
Hello F.R.I.E.N.D !!
I was hunting and keep switching from programs to programs from past few months. In my beginning phase of my journey I got more than 20 duplicated bugs and was tired and demotivated & there were lot of burnouts. Even after, decided to keep moving on….
And one day I was hunting on a Responsible Vulnerability Disclosure Program (can’t disclose the program name) and performed complete reconnaissance on my target.
Now, before jumping to the method we’re going to learn little bit about subdomain and where does the vulnerability exists !!
What is Subdomain ?
A subdomain is a prefix added to a domain name to distinguish one section of your website from another. Subdomains are mostly used by site owners to manage large sections that require their own content hierarchy, such as online stores, blogs, or support platforms.
What is Subdomain Takeover?
Subdomain Takeovers are a type of vulnerability in which attackers can gain control of a company’s subdomain. This is caused by incorrectly configured DNS.
In other words, imagine you are a company developer who has been tasked with creating a website (here a subdomain) for an upcoming event. You designed the website, hosted it with proper DNS configuration, and it is now operational.
After the event, the company instructed you to remove that website because the event page was no longer useful. The developer may simply remove the subdomain and report that “yes, the website is now down.” However, the DNS is still not shut down, so it is now pointing to a non-existent subdomain. And it is here that we, the attackers, will strike. We will simply create a subdomain with the same name and, in many cases, CNAME as the website to which the DNS records point.
BooM ! You took control of a subdomain.
My personal Reconnaissance methodology and workflow.
I would like to give a short overview of my reconnaissance workflow. I regularly use amass, subfinder, assetfinder and chaos discovery data set for subdomain enumeration and my next step is to resolve discovered subdomains to check for alive hosts, then vulnerability analysis and finally manual testing. On the day, I taught to use crt.sh as an addon step since I was curious to explore it and was learning how the tool works, what’s behind the scenes ?
And this tool enumerated some additional subdomains which was not gathered from my regular recon phase. Okay !! Now I resolved and sorted all the subdomains I enumerated into a .txt file & saved it.
Now, I tried to check for subdomain takeover as this is must do part in my recon phase. I use subzy, subjack and nuclei/takeover templates for subdomain takeover , since this is just part of mine vulnerability analysis and it may give false positive.
I tried with subzy and subjack , but failed got nothing . And then I used Nuclei with nuclei-templates/takeovers within few minutes I got a high titled warning with tilda takeover .
nuclie -l subdomain.txt -t $path/nuclei-templates/takeovers/Then I visited the page manually , it displayed “Domain has been assigned” this means the subdomain is not running any services but it is active which we can also prefer 404-NOT FOUND and came to know that the subdomain belongs to Tilda services. Since, I can’t disclose the program name publicly let us assume as example.com as root domain and the vulnerable subdomain looks like ; pdf.example.com .
Fig .1
As we can see Fig .1 webpage window, I realized that something is different because it’s holding pdf as suffix by its root domain. Generally, pdf has to be directory listed on the webserver. example-https://example.com/pdf and here we can do some malicious thing.
So, visited to tilda.com, created an account, created my webpage and linked it to the subdomain which I discovered early.
Fig .2
And BooM !! The organization successfully hacked & was ethically reported.
You can also check out the below EdOverflow’s GitHub repository for the reference.
Hope you’ve enjoyed. Thank you for reading :)
