Before going into further discussion, why does subdomain takeover happen?
In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname, each service has also implemented security measures to prevent subdomain takeover, but the developers are not paying enough attention. the mistake was simple, the developer no longer used that subdomain (then deleted the domain on the service side) but forgot they didn’t delete the CNAME trace on the server side either. So the attacker only needs to attach the subdomain to the service without the need to add a CNAME on the Server/Hosting side. Already starting to understand huh?
Short story of why I discovered that vulnerability:
I’ve been looking into Metabase vulnerabilities in shodan but haven’t had any luck always finding non-vulnerable ones :)
Seeing that one site was pretty good, I did a subdomain enumeration & recon with httpx for fun, so I found a subdomain with the title “[Custom domain check]”
root@pondev:~# subfinder -d redacted.com -recursive | httpx -sc -title
http://activation.redacted.com [302] []
https://trail.redacted.com [200] [Custom domain check]
https://redacted.com [200] [Redacted | Redacted made simple]
https://referrals.redacted.com [302] [Object moved]
https://enroll.redacted.com [200] [Redacted — Claim your membership]This is what it looks like when I access it, and remembering about the Subdomain Takeover I immediately use the dig command to find out what service to use. (Image 3.)
Then I found this article https://www.lemlist.com/blog/custom-tracking-domain with keyword “Lemist Custom Domain”.
Then from the 10k list of subdomains I checked with httpx -sc -fr -silent I was confused why all the status codes were 200 OK, because in general the vulnerable subdomain takeover was 404. I tried adding subdomains but always got the response “already used in another team”
cat list | httpx -sc -fr -silent
http://trail.redacted1.com [200] [Custom domain check]
https://trail.redacted2.com [200] [Custom domain check]
https://trail.redacted3.com [200] [Custom domain check]
http://trail.redacted4.com [200] [Custom domain check]
http://trail.redacted5.net [200] [Custom domain check]
https://trail.redacted6.com [200] [Custom domain check]
https://trail.redacted7.com [200] [Custom domain check]
http://trail.redacted8.io [200] [Custom domain check]
https://trail.redacted9.com [200] [Custom domain check]
http://trail.redacted10.com [302,301,200] [Mercusuar — Situs Not Found] [https://mercusuar.uzone.id]
But after I looked again at the results, there was a difference in the protocol (http & https). I re-customized the subdomain whose protocol was “http” and yeah it worked.
Thanks
Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121
