Page cover

Dangling DNS: Announcekit

Another service vulnerable to subdomain takeover

This post is the write-up about the subdomain takeover vulnerable service Announcekit that I found. Although this is a paid service, It's possible to create PoC without purchasing the service during the trial period.

Announcekit.app

AnnounceKit is a user communication platform that helps you announce product updates to increase feature adoption.

Service Detection

CNAME record should be pointing to cname.announcekit.app

akit-tk.melbadry9.xyz.  42      IN      CNAME   cname.announcekit.app.

I use the following Nuclei template to check for possible candidates.

id: detect-announcekit

info:
  name: Announcekit service detection
  author: melbadry9
  severity: info
  tags: dns

dns:
  - name: "{{FQDN}}"
    type: CNAME
    class: inet
    recursion: true
    retries: 2
    matchers:
      - type: word
        words:
          - "cname.announcekit.app"

Takeover Detection

We should see a similar error page to verify whether the subdomain takeover may be possible.

Vulnerable Subdomain Error Page

Fingerprint

To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response. we confirm whether the subdomain is vulnerable or not.

I use the following Nuclei template to check for the vulnerable subdomain.

Takeover Steps

  • Register an account on AnnounceKit

  • Go to https://announcekit.app/dashboard/settings/feeds

  • Set Custom Hostname to the subdomain, we want to takeover akit-tk.melbadry9.xyz

Takeover Steps

  • Visit https://kit-tk.melbadry9.xyz

PoC

Can I takeover XYZ? - Issue

I opened an issue on GitHub regarding this service:

LogoAnnouncekit vulnerable to subdomain takeover · Issue #228 · EdOverflow/can-i-take-over-xyzGitHub
PreviousDangling DNS: Worksites.netNextFuzzing

Last updated

Was this helpful?