Write up about how I successfully took over the subdomain of an Tumblr blog.
A Subdomain takeover is a cybersecurity vulnerability where attackers exploit abandoned or misconfigured subdomains, gaining unauthorized control. This can lead to malicious activities such as phishing, malware distribution, and defacement.
These are the steps I took to successfully take over this subdomain and link it to my own Tumblr blog
The initial step involved reconnaissance to identify all available target assets. This entailed employing subdomain enumeration techniques, which utilize a blend of methods to uncover target sub-domains. This encompasses scouring external data sources like search engines, public databases, and third-party services, alongside scanning DNS records such as NS, MX, TXT, and AXFR.
Numerous tools are available for this task, and I strongly recommend configuring external data source API keys within these tools to maximize results. Among these tools, we’ll utilize Subfinder, although other notable options include Sublist3r, Amass, or Knockpy.
Using Subfinder after you install, Let’s run:
docker run projectdiscovery/subfinder:latest -d target.com -o out.txt
The output will be located in “out.txt,” prepared for the subsequent step. These are the results obtained from Subfinder’s subdomain enumeration.
Numerous methods are available to check subdomains for potential takeovers, ranging from utilizing tools to capture screenshots to employing text/regex matching tools and even manually inspecting the domain. To automate the search for matching text signatures, we’ll employ a tool called Subzy.
Assuming you have installed Subzy, let’s run:
subzy run — targets out.txt
Wait for it to complete and let’s see what we can find:
It appears luck is on our side as we’ve identified a vulnerable domain, and to our fortune, we’ve been provided with a convenient link to the “can-i-take-over-xyz” repository.
We can also verify like so:
curl -s -N http://$SOURCE_DOMAIN_NAME | grep -E -q “Whatever you were looking for doesn’t currently exist at this address” && echo “Subdomain takeover may be possible” || echo “Subdomain takeover is not possible”
Now that we’re aware of this domain’s vulnerability, let’s head over to “can-i-take-over-xyz” and delve deeper.
Some reports on HackerOne, for Tumblr blog takeovers:
We have taken over this domain/subdomain and uploaded our POC to the bug bounty program.