Fastly Subdomain Takeover $2000 - Pentestmag

Fastly Subdomain Takeover $2000

Fastly Subdomain Takeover $2000

Bug Bounty — From zero to HERO

by Alexandar Thangavel AKA ValluvarSploit


# Passive Subdomain Enumeration using Google Dorking
site:*.redacted.com -www -www1 -blog
site:*.*.redacted.com -product

# Passive Subdomain Enumeration using OWASP Amass
amass enum -passive -d redacted.com -config config.ini -o amass_passive_subs.txt

# Subdomain Brute force using Gobuster
gobuster dns -d redacted.com -w wordlist.txt - show-cname - no-color -o gobuster_subs.txt
# Merging subdomains into one file
cat google_subs.txt amass_passive_subs.txt gobuster_subs.txt | anew subdomains.txt
# Enumerate CNAME records
./cname.sh -l subdomains.txt -o cnames.txt

# We can use HTTPX tool as well
httpx -l subdomains.txt -cname cnames.txt
# Probe for live HTTP/HTTPS servers
httpx -l subdomains.txt -p 80,443,8080,3000 -status-code -title -o servers_details.txt
dig next.redacted.com CNAME
DNS query for CNAME record
https://next.redacted.com [500] [246] [Fastly error: unknown domain next.redacted.com]

 

Claimed domain on Fastly
mkdir hosting

cd hosting

nano index.html
<!DOCTYPE html>

<html>
    <head><title>STO PoC</title></head>
    <body>
        <h1>ValluvarSploit PoC</h1>
    </body>
</html>
python3 -m http.server 80
VPS Configuration
Proof of Concept
Monitoring server logs for fun
Reward

Originally posted at: https://infosecwriteups.com/fastly-subdomain-takeover-2000-217bb180730f

January 10, 2023
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013