Morning, 4th march, I woke up and cheked my phone.
There was a Facebook notification “8 new certificates for redacted.com or its subdomain were issued by ##########”
I reported couple of bugs to this program three months before, I thought, i should start again reconnaissance on this program.
so i fired my recon script for redacted.com in my VPS.
I use a script that enumerate subdomains, resolve all of them using massdns and check status:NXDOMAIN of Dangling DNS records of subdomains pointing to Azure and ElasticBeanstalk services.
After that i have to mannually check azure and ElasticBeanstalk instances are available to claim or not.
after 5–6 hours, i got a notification that “Recon completed for redacted.com”. I am starting to check vulnerable.txt file, there was 14 subdomains, that could be vulnerable.
Dangling DNS records of all the subdomains were pointing to AWS ElasticBeanstalk instances in us-east region.
I went over to AWS Console at the us-east-1 region and started the environment creation process. There are Two types of Environment, We have to select web server environment.
Final step to check the subdomain is vulnerable if we are allowed to use the dangling DNS domain for our environment.
I checked all the instances one by one and I was shocked 11 out of 14 instances were available to claim.
I immediately claim all the instances and uploaded my POC page.
We can also use code pipeline and connect it to ElasticBeanstalk instance for POC generation.
I confirmed all the subdomains was showing my POC page
After 2 days, I got another notification “3 new certificates for redacted.com or its subdomain were issued by ##########”.
So I have quick recon script for quickly enunmerate subdomains, resolve the subdomains using massdns, check the subdomain takeovers and put the vulnerable subdomains to vulnerable.txt file.
I was able to takeover 1 another subdomain which were pointing to AWS ElasticBeanstalk in us-east-1 region.
Reported and earned $$$$
Drop a clap 👏, If you like this writeup and follow me on