Mohamed Elbadry | Blog
  • About Me
    • Acknowledgement
  • Dangling DNS
    • Amazon Web Services
      • Dangling DNS: Amazon EC2
      • Dangling DNS: Amazon EC2 IPs (Current State)
    • Vulnerable Services
      • Dangling DNS: Worksites.net
      • Dangling DNS: Announcekit
  • Write-ups
    • Fuzzing
      • Automate Cache Poisoning Vulnerability - Nuclei
      • How I built the PoC for the Log4j zero-day security vulnerability
Powered by GitBook
On this page
  • Announcekit.app
  • Service Detection
  • Takeover Detection
  • Fingerprint
  • Takeover Steps
  • Can I takeover XYZ? - Issue

Was this helpful?

Dangling DNS: Announcekit

Another service vulnerable to subdomain takeover

This post is the write-up about the subdomain takeover vulnerable service Announcekit that I found. Although this is a paid service, It's possible to create PoC without purchasing the service during the trial period.

Announcekit.app

AnnounceKit is a user communication platform that helps you announce product updates to increase feature adoption.

Service Detection

CNAME record should be pointing to cname.announcekit.app

akit-tk.melbadry9.xyz.  42      IN      CNAME   cname.announcekit.app.

I use the following Nuclei template to check for possible candidates.

id: detect-announcekit

info:
  name: Announcekit service detection
  author: melbadry9
  severity: info
  tags: dns

dns:
  - name: "{{FQDN}}"
    type: CNAME
    class: inet
    recursion: true
    retries: 2
    matchers:
      - type: word
        words:
          - "cname.announcekit.app"

Takeover Detection

We should see a similar error page to verify whether the subdomain takeover may be possible.

Fingerprint

To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response. we confirm whether the subdomain is vulnerable or not.

{
    "status_code": 404,
    "text": [
        "Error 404 - AnnounceKit"
    ]
}

I use the following Nuclei template to check for the vulnerable subdomain.

id: announcekit-takeover

info:
  name: Announcekit Takeover Detection
  author: melbadry9
  severity: high
  tags: takeover
  reference: https://announcekit.app/docs/custom-host

requests:
  - method: GET
    raw:
      - |
        GET / HTTP/2
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    
    redirects: true
    max-redirects: 1

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'Error 404 - AnnounceKit'
      
      - type: status
        status:
          - 404

Takeover Steps

  • Register an account on AnnounceKit​

  • Go to https://announcekit.app/dashboard/settings/feeds

  • Set Custom Hostname to the subdomain, we want to takeover akit-tk.melbadry9.xyz

  • Visit https://kit-tk.melbadry9.xyz

Can I takeover XYZ? - Issue

I opened an issue on GitHub regarding this service:

PreviousDangling DNS: Worksites.netNextFuzzing

Last updated 2 years ago

Vulnerable Subdomain Error Page
Takeover Steps
PoC
LogoAnnouncekit vulnerable to subdomain takeover · Issue #228 · EdOverflow/can-i-take-over-xyzGitHub
Page cover image