A hostile subdomain takeover!

Hello Again!,

It has been a while since i have written anything here. I’ve been quite busy as i moved to Australia and took me a while to settle down. I am grateful to have the opportunity to work with some of the best offensive security consultants and hope to add some more content  and techniques that i learnt.

With that out of the way, this post is about an attack vector that is not something new within landscape of Bug bounty. Probably the easiest bug to find with a high value reward. There are many tools that are written automating the whole process of identifying the vulnerability and perform hostile take overs. In this post, i will explain how i stumbled on a subdomain takeover. 🙂

GitHub Pages can be configured to be used as a website. In this case, moss-institute, was setting up an online cyber security training platform and was open to invitations to test the platform. The application is setup on platform.mosse-institute .com.

However, mosse-institute also has another website mosse-security . com. While reviewing the contents across the two, i thought the platform.mosse-security.com was the training app web app. This resulted in the following error.

Now this is the classic indicator for a subdomain takeover. In simple terms, the ‘platform.mosse-security. com’ domain is pointing to github pages and there is nothing on the end of Github to resolve this domain resulting in a 404 error.  To that fact, i checked other domains and every subdomain that i could attempt pointed to a 404 error.

Well how is this a problem? If a subdomain is already configured in your registrar (namescheap, godaddy,…) towards the github servers 185.199.108.153, 185.199.109.153, 185.199.110.153, 185.199.111.153. Then anyone with a valid github account can setup a Github page and claim that domain by posting any content.

In this case any subdomain (*) that belongs to mosse-security. com was pointing to github and not just platform.mosse-security. com. To perform a takeover, i loggedon to my Github account and created a test HTML page with just a comment as shown in the screenshot. To remain descreet, i performed a takeover of a random subdomain as a proof of concept.

I contacted mosse-security and he fixed this right away. 🙂

Thanks for reading!

 

 

 

 

Published by Ramnath Shenoy

I work a penetration tester, this blog is just some of my personal notes!

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: