search
Page cover

Dangling DNS: Announcekit

Another service vulnerable to subdomain takeover

This post is the write-up about the subdomain takeover vulnerable service Announcekit arrow-up-rightthat I found. Although this is a paid service, It's possible to create PoC without purchasing the service during the trial period.

hashtag
Announcekit.app

AnnounceKit arrow-up-rightis a user communication platform that helps you announce product updates to increase feature adoption.

hashtag
Service Detection

CNAME record should be pointing to cname.announcekit.app

akit-tk.melbadry9.xyz.  42      IN      CNAME   cname.announcekit.app.

I use the following Nucleiarrow-up-right template to check for possible candidates.

id: detect-announcekit

info:
  name: Announcekit service detection
  author: melbadry9
  severity: info
  tags: dns

dns:
  - name: "{{FQDN}}"
    type: CNAME
    class: inet
    recursion: true
    retries: 2
    matchers:
      - type: word
        words:
          - "cname.announcekit.app"

hashtag
Takeover Detection

We should see a similar error page to verify whether the subdomain takeover may be possible.

Vulnerable Subdomain Error Page

hashtag
Fingerprint

To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response. we confirm whether the subdomain is vulnerable or not.

I use the following Nucleiarrow-up-right template to check for the vulnerable subdomain.

hashtag
Takeover Steps

  • Register an account on AnnounceKitarrow-up-right

  • Go to https://announcekit.app/dashboard/settings/feeds

  • Set Custom Hostname to the subdomain, we want to takeover akit-tk.melbadry9.xyz

Takeover Steps

  • Visit https://kit-tk.melbadry9.xyz

PoC

hashtag
Can I takeover XYZ? - Issue

I opened an issue on GitHub arrow-up-rightregarding this service:

LogoAnnouncekit vulnerable to subdomain takeover · Issue #228 · EdOverflow/can-i-take-over-xyzGitHubchevron-right
PreviousDangling DNS: Worksites.netNextFuzzing

Last updated