.png)
3 years ago
274 BOOK THIS SPACE FOR AD
ARTICLE AD
Morning, 4th march, I woke up and cheked my phone.
There was a Facebook notification “8 new certificates for redacted.com or its subdomain were issued by ##########”
I reported couple of bugs to this program three months before, so I thought, i should recon on this program again.
so I connected to my VPS and fired my recon script for redacted.com. after 5–6 hours, i got a notification that “Recon completed for redacted.com”
I use a script that enumerate subdomains, resolve all of them using massdns and check status:NXDOMAIN of Dangling DNS records of subdomains pointing to Azure and ElasticBeanstalk services.
After that i have to mannually check azure and ElasticBeanstalk instances are available to claim or not.
I am starting to check vulnerable.txt file, there was 14 subdomains, that could be vulnerable.
Dangling DNS records of all the subdomains were pointing to AWS ElasticBeanstalk instances in us-east region.
I went over to AWS Console at the us-east-1 region and started the environment creation process. There are Two types of Environment, We have to select web server environment.
Final step to check the subdomain is vulnerable if we are allowed to use the dangling DNS domain for our environment.
I checked all the instances one by one and I was shocked 11 out of 14 instances were available to claim.
I immediately claim all the instances and uploaded my POC page.
We can also use code pipeline for POC.
working POC
After 2 days, I got another notification “3 new certificates for redacted.com or its subdomain were issued by ##########”.
So I have quick recon script for quickly enunmerate subdomains, resolve the subdomains using massdns, check the subdomain takeovers and put the vulnerable subdomains to vulnerable.txt file.
I was able to takeover 1 another subdomain which were pointing to AWS ElasticBeanstalk in us-east-1 region.
Reported and earned $$$$
Drop a clap 👏, If you like this writeup and follow me on
Twitter: @nvk0x
Linkedin: @naveenkmt
Instagram: @nvk0x
Bengali (Bangladesh) · 
English (United States) ·