Meteor Subdomain Takeover

10 months ago 70

BOOK THIS SPACE FOR AD

ARTICLE AD

In the name of Allah

Hi guy, I’m here again, YoungVanda. In this write-up I’m gonna talk about Meteor Subdomain Takeover. From a simple recon to one of the trickiest exploitations of my life 😉

In this write-up, I explained everything from the beginning. If you just one to get to the exploitation part, check out Exploitation heading at the end.

Also if you haven’t read this write-up, give it a go. It’s a good write-up and it helped me a lot during the exploitation process.

It was a private program, with this scope: *.redacted.com
First thing I do when facing a small company/target, is just running Konckpy to get the vibe of domain. Like:

How many subdomains does it have!!!Getting familiar with subdomains and naming patterns.Is there any test/stage subdomain!?!

I ran Knockpy and it gave me a few subdomains I just opened them manually.

I use this Firefox extension for opening URLs manually, at the same time.

I found an interesting subdomain.

I said OK baby. That’s fine. You’re good. Don’t worry :)

When I saw this page I said OK usually these kinda messages could be a sign of Subdomain Takeover. I’m not a big fan of Subdomain Takeover, but I said why not!!! Let’s dive into it 🔥🔥🔥

For whose don’t know what is Subdomain Takevoer

What is Subdomain Takeover?

Write here ….

Note:

When I face such a web pages and I think it might be vulnerable to Subdomain Takeover, I usually check can-i-take-over-xyzAlso, I run Nuclei for this purpose😁 Because Nuclei has lots of community templates when it comes to Subdomain Takeover.

Back to the story, I ran Nuclei, after a second Nuclei told me, You’re a lucky boy😁 Just get out here man. Get out here.

I was confused why no one has reported this before. I got the answer, follow me.

Why no ones has reported this before?

can-i-take-over-xyz hadn’t had the Meteor Takeover in its resources.There was no write-up about it, except one. And you could not find it with Googling.The only write-up was placed in the Nuclei template. Even, I followed the write-up. Went step by step. But it didn’t work.

How did I find the write-up?

In every Nuclei template there usually extra information about it. Even the way you can exploit the vulnerability. So here what I did to find the write-up:

I love reference section in templatescd nuclei-templates/
find . -name "template-name.yaml"
cat ./http/takeovers/template-name.yaml

Step — 1:

So I found the write-up, the first thing I did according to the write-up was installing Meteor:

What is Metor?

Right here…

# Other ways here: https://docs.meteor.com/install.html

# I installed this way
curl https://install.meteor.com/ | sh

A successful installation

Step — 2:

Next step is creating Meteor application. I used this command:

# Execute the command with a normal user, not root.
mkdir poc && cd poc
meteor create --minimal .

Note:
For creating a Meteor application you shouldn’t be root user. That was one of my problems, so to make this work I used my Amazon VPS with a ubuntu/normal user.

Step — 3:

So far, all the required files have been created. Go and change this file
client/main.html and put your flag there:
<platform-uesrname> POC Takeover

nano client/main.html # Put your <platform-username> POC Takeover

Step — 4:

Now, go to the www.meteor.com and sign-up. Also take note that you should put your payment details to be able use the custom subdomain feature.

meteor login # Enter your username & password

Step — 5:

It’s time for final step.

DEPLOY_HOSTNAME=[CNAME] meteor deploy [sub.target.com]

In [CNAME] section you can put CNAME of your subdomain.

dig sub.target.com

But in my case it didn’t work. You can try these:

# Didn't work for me
DEPLOY_HOSTNAME=eu-west-1.galaxy.meteor.com meteor deploy [sub.target.com]

# Didn't work for me
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy [sub.target.com]

# Worked for me
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy [sub.target.com]

How I found this galaxy.meteor.com

I was disappointed that I couldn’t takeover the subdomain. Even though I spent around 10 hours, in two days, to exploit the vulnerability, but I wasn’t successful. However, suddenly, I came up with an idea, but to me this was more like a shot in the dark :)

I discussed my problem on forums.meteor.com just asking for some help :)

I explained my issue on the forum. Waiting for an answer, after 2 or 3 days someone replied to me.

I said OK. I’m gonna give it try. I wasn’t having that much hope.DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy travel.target.com

Done

Finally after 2 days of exploiting and 3 days of waiting for some help. It worked !!!
Man, the moment I realised that the application is being deployed I was over the moon.
It was marvellous. Like a beautiful woman in a red dress with red lipstick

Like this woman:

Ohhh, my bed, sorry, I meant this one:

Ultimate Final Hot Cooking Recipe:

Ohhh, Mamacita, what a recipe !!! Yummy 😂😂😂# Follow the steps with normal user, not root.
curl https://install.meteor.com/ | sh
mkdir poc && cd poc
meteor create --minimal .
nano client/main.html # Put your <platform-username> POC Takeover
meteor login # Entering username and password - Sign-up here www.meteor.com

dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com

# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com

# Ceck out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help

Severity/Priority of this Takeover

It was a private RDP program so I really tried to escalate it to High/P2 by showing the scenario of Stored XSS. But it didn’t work. They closed it as Medium/P3.

Triager said this:

That is why they closed it as P3/Medium.

The Errors you might get during the takeover

After installing Meteor create a directory and run following steps on that directorycurl https://install.meteor.com/ | sh
mkdir poc && cd pocCreate the Meteor application in a new directory and as a normal user, not root. Otherwise you gonna get this error:

Create the Meteor application as normal userubuntu@369:~/$ mkdir poc && cd poc
ubuntu@369:~/poc$ meteor create --minimal .The last error that you might encounter, is gonna happen while deploying the application:dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com

# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com

# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com

Moral Values of Story

The moment I realised that I’m not able to takeover the subdomain, after 7 8 hours of trying. I was really sad and just watched anime. I used to be lazy when it came to exploitation. But I didn’t give up, the next day:I watched multiple YouTube videos. About how to deploy a Meteor application and even the Meteor itself.Reading documents, from docs.meteor.com, just to figure out what’s going on.Finally, when I was disappointed. I explained my problem on the forum, forums.meteor.com, I have waited for 2 or 3 days. And finally someone answered my question and it actually worked.

Uooo man… Wait a minute, I tweet about my recent findings and some other bug bounty tips. So check out my tweeter account . Sorry X account :)

My Twitter Account: @young_vanda_

https://rivalsec.github.io/blog/2022/12/02/meteor.html https://galaxy-guide.meteor.com/deploy-region.html https://forums.meteor.com https://www.meteor.com/

Read Entire Article