Open in app

Sign in

Write

Sign in

How i hijacked 12 Subdomains in one Program

Naveen kumawat
3 min readMay 17, 2021

--

Morning, 4th march, I woke up and cheked my phone.

There was a Facebook notification “8 new certificates for redacted.com or its subdomain were issued by ##########

Facebook notification for new certificates

I reported couple of bugs to this program three months before, I thought, i should start again reconnaissance on this program.

so i fired my recon script for redacted.com in my VPS.

I use a script that enumerate subdomains, resolve all of them using massdns and check status:NXDOMAIN of Dangling DNS records of subdomains pointing to Azure and ElasticBeanstalk services.

Dangling DNS record of subdomain

After that i have to mannually check azure and ElasticBeanstalk instances are available to claim or not.

after 5–6 hours, i got a notification that “Recon completed for redacted.com”. I am starting to check vulnerable.txt file, there was 14 subdomains, that could be vulnerable.

Dangling DNS records of all the subdomains were pointing to AWS ElasticBeanstalk instances in us-east region.

I went over to AWS Console at the us-east-1 region and started the environment creation process. There are Two types of Environment, We have to select web server environment.

selecting environment type

Final step to check the subdomain is vulnerable if we are allowed to use the dangling DNS domain for our environment.

using danging DNS domain

I checked all the instances one by one and I was shocked 11 out of 14 instances were available to claim.

I immediately claim all the instances and uploaded my POC page.

uploading POC

We can also use code pipeline and connect it to ElasticBeanstalk instance for POC generation.

I confirmed all the subdomains was showing my POC page

After 2 days, I got another notification “3 new certificates for redacted.com or its subdomain were issued by ##########”.

So I have quick recon script for quickly enunmerate subdomains, resolve the subdomains using massdns, check the subdomain takeovers and put the vulnerable subdomains to vulnerable.txt file.

I was able to takeover 1 another subdomain which were pointing to AWS ElasticBeanstalk in us-east-1 region.

Reported and earned $$$$

Drop a clap 👏, If you like this writeup and follow me on

Twitter: @nvk0x

Linkedin: @naveenkmt

Instagram: @nvk0x

Bug Bounty
Bug Bounty Writeup
Bug Bounty Hunter
Bug Bounty Tips
Cybersecurity

--

--

Naveen kumawat

Written by Naveen kumawat

145 Followers

Cybersecurity professional and ethical hacker with over 3 years of experience with an interest in offensive security, automation, and bug bounty.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams