How i hijacked 12 Subdomains in one Program

Morning, 4th march, I woke up and cheked my phone.

There was a Facebook notification “8 new certificates for redacted.com or its subdomain were issued by ##########

Facebook notification for new certificates

I reported couple of bugs to this program three months before, I thought, i should start again reconnaissance on this program.

so i fired my recon script for redacted.com in my VPS.

I use a script that enumerate subdomains, resolve all of them using massdns and check status:NXDOMAIN of Dangling DNS records of subdomains pointing to Azure and ElasticBeanstalk services.

Dangling DNS record of subdomain

After that i have to mannually check azure and ElasticBeanstalk instances are available to claim or not.

after 5–6 hours, i got a notification that “Recon completed for redacted.com”. I am starting to check vulnerable.txt file, there was 14 subdomains, that could be vulnerable.

Dangling DNS records of all the subdomains were pointing to AWS ElasticBeanstalk instances in us-east region.

I went over to AWS Console at the us-east-1 region and started the environment creation process. There are Two types of Environment, We have to select web server environment.

selecting environment type

Final step to check the subdomain is vulnerable if we are allowed to use the dangling DNS domain for our environment.

using danging DNS domain

I checked all the instances one by one and I was shocked 11 out of 14 instances were available to claim.

I immediately claim all the instances and uploaded my POC page.

uploading POC

We can also use code pipeline and connect it to ElasticBeanstalk instance for POC generation.

I confirmed all the subdomains was showing my POC page

After 2 days, I got another notification “3 new certificates for redacted.com or its subdomain were issued by ##########”.

So I have quick recon script for quickly enunmerate subdomains, resolve the subdomains using massdns, check the subdomain takeovers and put the vulnerable subdomains to vulnerable.txt file.

I was able to takeover 1 another subdomain which were pointing to AWS ElasticBeanstalk in us-east-1 region.

Reported and earned $$$$

Drop a clap 👏, If you like this writeup and follow me on

Twitter: @nvk0x

Linkedin: @naveenkmt

Instagram: @nvk0x

#Bug bounty #Machine Learning #Cyber Security Researcher #Learner

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store