Exploiting Subdomain Takeover Vulnerabilities via teamwork.com
Why does subdomain takeover happen?
In general, when a developer wants to connect his subdomain/rootdomain, he has to play with CNAME. Each service has a different cname,….. Read More
Exploitation
I have prepared a target list to find which subdomain has the cname “sslproxy.teamwork.com” as for the command, I only use the httpx tool.
root@kresec:$ cat list.txt | httpx -silent -title -mc 200 -cname | grep “sslproxy.teamwork.com”
https://collaboration.redacted.com [200] [Teamwork Projects] [sslproxy.teamwork.com]
Vulnerable identification
Normally if a subdomain or site that points its cname to belongs to teamwork.com it will display the teamwork login page, but with an error “maybe” they have deleted it in the teamwork dashboard and the cname of teamwork is still connected so the site can be taken over. For more details other than the identification of the cname, ssl error, you can see if accessed it will display “Oops — We did not find your site.”
How to add domain
I don’t want to explain too long here, the official Teamwork article is quite clear and complete to know how to do a custom domain. Open this article : https://support.teamwork.com/projects/general-settings/using-a-custom-domain-name
See Image 3. after you follow the frill article above, if the site is really vulnerable it will raise an allert “Added sub.redacted.com”
Successful takeover
Finally, the subdomain will look like “ Image 1” once it is successfully taken over.
Reference
https://github.com/Echocipher/Subdomain-Takeover/blob/master/providers.json
Thanks
Thank you very much for those of you who want to clap, share, discuss this post.
You can also help subscribe to my YouTube channel & my community
https://www.youtube.com/@kresec
https://www.youtube.com/@tegalsec1121
https://tegalsec.org/