Skip to content

Instantly share code, notes, and snippets.

@TheBinitGhimire
Last active October 27, 2024 19:26
Show Gist options
  • Save TheBinitGhimire/ec24a9de97a372cf6b7b9453511c3f8b to your computer and use it in GitHub Desktop.
Save TheBinitGhimire/ec24a9de97a372cf6b7b9453511c3f8b to your computer and use it in GitHub Desktop.
Dangling DNS Records leading to Sub-domain Takeover on api.techprep.fb.com!

Dangling DNS Records on api.techprep.fb.com - $500!

Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk

I have included my script in another file (main.sh), which I used in discovering this vulnerability.

I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.

I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.

## Subdomain Enumeration
echo "Checking with Assetfinder!";
assetfinder -subs-only fb.com >> ~/results/fb.com/subs/assetfinder.txt;
echo "Checking with Subfinder!";
subfinder -d fb.com -recursive -silent -all -t 500 -o ~/results/fb.com/subs/subfinder.txt;
echo "Checking with Sublist3r!";
sublist3r -d fb.com -n -t 500 -o ~/results/fb.com/subs/sublist3r.txt;
echo "Checking with Amass!";
amass enum -passive -norecursive -noalts -d fb.com -o ~/results/fb.com/subs/amass.txt;
## Subdomain Concatenation
cat ~/results/fb.com/subs/*.txt > ~/results/fb.com/subs.txt;
## Subdomain Enumeration Cleanup
rm -rf ~/results/fb.com/subs;
## Subdomain Enumeration Results
sort -u ~/results/fb.com/subs.txt -o ~/results/fb.com/subs.txt
## Elastic Beanstalk Checker
while IFS= read -r domain; do
if dig +short $domain | grep elasticbeanstalk; then echo $domain | tee -a ~/results/fb.com/elasticbeanstalk.txt; fi;
done < ~/results/fb.com/subs.txt
@nukats
Copy link

nukats commented Feb 18, 2021

Why did they only pay 500$ what was their reason?

@TheBinitGhimire
Copy link
Author

Hello @nukats,

I am not sure about why they paid only $500 for this, and I have questioned them about it, and looking forward to hearing their response.

One thing that they had said while rewarding the bounty amount is, "The payout amount reflects the fact that fb.com domain is predominantly used for microsites and static content."

I hope this clears your question, and I will let you know again if I hear back from the team with more information.

Thanks,
Binit Ghimire
@TheBinitGhimire

@pdelteil
Copy link

Hello,

I think is no longer possible to perform this take over? I can't create a custom env. URL.

Can you confirm?

@TheBinitGhimire
Copy link
Author

Hello @pdelteil,

I think you tried to create an application at Elastic Beanstalk, so you weren't able to define a custom URL. Can you once try creating an environment?

I just tried, and I'm still able to define custom URLs without any random strings added to the URL.

Creating an environment!

Here is an image showing what I did to verify just now!

If you have any further queries, please let me know!

Thanks,
Binit

@pdelteil
Copy link

Thank you for your quick answer. There's something odd, that dialog appeared when I created the second environment and not while creating the first.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment