It has been a while since i have written anything here. I’ve been quite busy as i moved to Australia and took me a while to settle down. I am grateful to have the opportunity to work with some of the best offensive security consultants and hope to add some more content and techniques that i learnt.
With that out of the way, this post is about an attack vector that is not something new within landscape of Bug bounty. Probably the easiest bug to find with a high value reward. There are many tools that are written automating the whole process of identifying the vulnerability and perform hostile take overs. In this post, i will explain how i stumbled on a subdomain takeover. 🙂
GitHub Pages can be configured to be used as a website. In this case, moss-institute, was setting up an online cyber security training platform and was open to invitations to test the platform. The application is setup on platform.mosse-institute .com.
However, mosse-institute also has another website mosse-security . com. While reviewing the contents across the two, i thought the platform.mosse-security.com was the training app web app. This resulted in the following error.
Now this is the classic indicator for a subdomain takeover. In simple terms, the ‘platform.mosse-security. com’ domain is pointing to github pages and there is nothing on the end of Github to resolve this domain resulting in a 404 error. To that fact, i checked other domains and every subdomain that i could attempt pointed to a 404 error.
Well how is this a problem? If a subdomain is already configured in your registrar (namescheap, godaddy,…) towards the github servers 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206. Then anyone with a valid github account can setup a Github page and claim that domain by posting any content.
In this case any subdomain (*) that belongs to mosse-security. com was pointing to github and not just platform.mosse-security. com. To perform a takeover, i loggedon to my Github account and created a test HTML page with just a comment as shown in the screenshot. To remain descreet, i performed a takeover of a random subdomain as a proof of concept.
I contacted mosse-security and he fixed this right away. 🙂
Thanks for reading!