Exploit subdomain takeover via Nolt. Nolt is a beautiful, collaborative place for all your user requests — no more outdated spreadsheets or chaotic Trello boards.
Why does subdomain takeover happen?
In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More
Exploitation
I have prepared a target list to find which subdomain has the cname “cname.nolt.io” as for the command, I only use the httpx tool.
root@kresec:~# cat nolt | httpx -cname -sc -fr -title -silent
https://feedback.redacted.com [200] [Sign in] [cname.nolt.io]
https://feedback.redacted.rocks [404] [Page not found] [cname.nolt.io]
http://feedback.redacted.app [404] [Heroku | Application Error] [cname.nolt.io]
http://feedback.redacted2.com [404] [Heroku | Application Error] [cname.nolt.io]
root@kresec:~# dig vuln.redacted.com | grep CNAME
vuln.redacted.com. 0 IN CNAME cname.nolt.io.
cname.nolt.io. 0 IN CNAME wildcard.nolt.io.herokudns.com.Vulnerable identification
With the httpx output above I did some identification to find out which ones are really vulnerable to takeover. after doing various experiments i concluded for the vulnerable :
— No ssl / ssl errors
— Title : Heroku | Application Error
— Status code : 404
— Connected with : cname.nolt.io
How to custom domain
I don’t want to explain too long here, the official Nolt article is quite clear and complete to know how to do a custom domain. Open this article : https://nolt.io/help/custom-domain
See Image 2. after you follow the Nolt article above, if the site is really vulnerable it will raise an respon “true”
Successful takeover
Finally, the subdomain should look like Image 1. above once it’s successfully taken over.
Thanks
Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121
https://tegalsec.org/
