Tumblr Subdomain Takeover

9 months ago 121
BOOK THIS SPACE FOR AD
ARTICLE AD

Scott Lindh

Write up about how I successfully took over the subdomain of an Tumblr blog.

A Subdomain takeover is a cybersecurity vulnerability where attackers exploit abandoned or misconfigured subdomains, gaining unauthorized control. This can lead to malicious activities such as phishing, malware distribution, and defacement.

Tumblr suggesting a 404 error, could mean the sub domain points to a blog that can be taken over

These are the steps I took to successfully take over this subdomain and link it to my own Tumblr blog

Enumerate subdomains using a recon tool in our case we will use Subfinder.Check subdomains for “signatures” In the case of Tumblr the signature would be “Whatever you were looking for doesn’t currently exist at this address”, the tool used for this is Subzy.Confirm the takeover with the help of can-i-take-over-XYZProfit !!

The initial step involved reconnaissance to identify all available target assets. This entailed employing subdomain enumeration techniques, which utilize a blend of methods to uncover target sub-domains. This encompasses scouring external data sources like search engines, public databases, and third-party services, alongside scanning DNS records such as NS, MX, TXT, and AXFR.

Numerous tools are available for this task, and I strongly recommend configuring external data source API keys within these tools to maximize results. Among these tools, we’ll utilize Subfinder, although other notable options include Sublist3r, Amass, or Knockpy.

Using Subfinder after you install, Let’s run:
docker run projectdiscovery/subfinder:latest -d target.com -o out.txt

The output will be located in “out.txt,” prepared for the subsequent step. These are the results obtained from Subfinder’s subdomain enumeration.

Results from Subfinder sub domain enumeration

Numerous methods are available to check subdomains for potential takeovers, ranging from utilizing tools to capture screenshots to employing text/regex matching tools and even manually inspecting the domain. To automate the search for matching text signatures, we’ll employ a tool called Subzy.

Assuming you have installed Subzy, let’s run:
subzy run — targets out.txt

Wait for it to complete and let’s see what we can find:

Wow lucky us, what have we found here …. a hit !

It appears luck is on our side as we’ve identified a vulnerable domain, and to our fortune, we’ve been provided with a convenient link to the “can-i-take-over-xyz” repository.

We can also verify like so:

curl -s -N http://$SOURCE_DOMAIN_NAME | grep -E -q “Whatever you were looking for doesn’t currently exist at this address” && echo “Subdomain takeover may be possible” || echo “Subdomain takeover is not possible”

or make a little bash script to do it yourself !

Now that we’re aware of this domain’s vulnerability, let’s head over to “can-i-take-over-xyz” and delve deeper.

https://www.tumblr.com/docs/en/custom_domains

Log in to Tumblr account (MUST validate email address)Go to Tumblr Account drop downClick Edit AppearanceClick on the pencil icon next to your usernameSelect Use a custom domainSet custom domain to source domain nameClick on Test Domain (Should return It’s good!)Click on Save

Some reports on HackerOne, for Tumblr blog takeovers:

https://hackerone.com/reports/113869
https://hackerone.com/reports/221631

Success !!
We have taken over this domain/subdomain and uploaded our POC to the bug bounty program.

“Until next time” — Scott Lindh
Read Entire Article