Bugcrowd’s Domain & Subdomain Takeover!
Hello BugBountyPoc viewers, this is Khizer again, I decided to Write about this Issue because I have seen some people are still confused about “Fastly error: unknown domain” Many Subdomains of BugBounty programs have This error on their Subdomains and People Report is Without Claiming or Try to claim That..
But If you try to claim such Subdoamin it will ask U to add Main domain instead of subdomain… So back to the main story, last Sunday i decided to test Bugcrowd itself as it’s one of most secure BugBounty programs!
While i was checking Reverse IP Lookup For bugcrowd.com I got these 2 results
Reverse IP Lookup Results — 2 domains hosted on IP address 188.8.131.52 Domain View Whois Record Screenshots 1. bugcrowd.com 2. bugcrowdtrafficcontrol.com
As I Frequently Visit bugcrowd.com The other domain bugcrowdtrafficcontrol.com was New for Me as I haven’t seen this domain I decided to Pay a Visit 😛 and I saw an error on the domain!
Fastly error: unknown domain: bugcrowdtrafficcontrol.com. Please check that this domain has been added to a service.
When I saw the error It suddenly clicks to my mind That I have seen such errors on subdomains of some websites but when I tried to takeover them via Fastly services They ask to add the main domain But in this case It was the main domain. So I checked the WHOis info for this domain and it was!
Diagnostics DNS Records for bugcrowdtrafficcontrol.com Hostname Type TTL Priority Content bugcrowdtrafficcontrol.com SOA 1551 edna.ns.cloudflare.com firstname.lastname@example.org 2025379154 10000 2400 604800 3600 bugcrowdtrafficcontrol.com NS 86399 edna.ns.cloudflare.com bugcrowdtrafficcontrol.com NS 86399 lee.ns.cloudflare.com bugcrowdtrafficcontrol.com A 299 184.108.40.206 bugcrowdtrafficcontrol.com A 299 220.127.116.11 bugcrowdtrafficcontrol.com MX 299 5 alt2.aspmx.l.google.com bugcrowdtrafficcontrol.com MX 299 5 alt1.aspmx.l.google.com bugcrowdtrafficcontrol.com MX 299 1 aspmx.l.google.com bugcrowdtrafficcontrol.com MX 299 10 alt4.aspmx.l.google.com bugcrowdtrafficcontrol.com MX 299 10 alt3.aspmx.l.google.com www.bugcrowdtrafficcontrol.com A 299 18.104.22.168 www.bugcrowdtrafficcontrol.com A 299 22.214.171.124 www.bugcrowdtrafficcontrol.com AAAA 299 2400:cb00:2048:1::6814:3c33 www.bugcrowdtrafficcontrol.com AAAA 299 2400:cb00:2048:1::6814:3d33 www.bugcrowdtrafficcontrol.com CNAME 299 www.bugcrowd.com
and this Information is Enough for Me to Confirm that the domain was indeed owned by Bugcrowd!
Well I opened My Fastly account and tried to make a Service named bugcrowdtrafficcontrol.com & With teh IP of the domain….., And Boom… It says!
Your service has been created and activated.
Domain 'bugcrowdtrafficcontrol.com' was created
2017-08-13 19:15 +00:00
Click the following link to see if your site is configured correctly: http://bugcrowdtrafficcontrol.com.global.prod.fastly.net.
It may take up to a minute for your site to be ready.
So Now as The domain is added to my account i visit the domain again an This time the error was changed to
Error 503 hostname doesn't match against certificate
hostname doesn't match against certificate
Details: cache-cdg8721-CDG 1502652983 264973953
Varnish cache server
the Error was same to My Fastly service URL http://bugcrowdtrafficcontrol.com.global.prod.fastly.net, The Error was generate due to My mistake… I’m unaware of how to use these services so a little messed Up! But i qucikly figured out that if i add the same service to my cloudfront account and change the Plan to Business (it cost upto 200$ ) You can gain Complete Access of the domain 🙂
Now if You remember the WHOis information showed me another thing The Subdomain
When i visited that subdomain and It showed Me an error!
Well as soon as i saw this error I remember that some days a go a guys published a Blog about taking over DonaldJTrump’s Website subdomain by same service and i tried to follow his steps But Unfortunately My card was declined while buying the services to Takeover the subdomain …. That’s Why I was Unable to takeover The Subdomain Completely!
How to takeover:
- Signed up as client in Pantheon service.
- Created a Sandboxed domain as WordPress or Drupal.
- Added a credit card, then subscribed as ‘Professional’ to setup the sandboxed domain.
- Used a feature called “custom domains” to add the vulnerable subdomain to my account.
- Waited for the verification and building process to be finish.
- Boom You will be the admin of the subdomain
So At the end I reported this To Bugcrowd! 😛 Because potentially the domain & Subdomain both was owned by Bugcrowd…
The Report was Closed as N/A 😛 lol I was Hoping it to Be closed as Resolved 😛 But I still got 600$ 🙂
Hope it will solve the problem for some about Fastly error 🙂
Nice! i really love it. next time RCE? haha 😀
Sure I’ll Try 😉
Just going to publish SQLi POC in an Hour 😉
Which tool you are using for CANME scanning?
It was domain tools online website
Nice one mate
i am getting error while configuring domain in fastly it says that domain is already registered to another customer.
host command out put
$ host dev.example.com
dev.examplecom is an alias for dev.example.com.tw.map.fastly.net
$ dig dev.example.com
;; ANSWER SECTION:
dev.example.com. 106 IN CNAME dev.example.com.tw.map.fastly.net.
Also getting the Fastly unkown domain error when i visit the website