How I was able to take over a Subdomain and got Hall of Fame

Rivek Raj Tamang ( RivuDon )
6 min readNov 20, 2024

--

How you can too.

Subdomain Takeover on a website
Lets get Started !

Hi, I’m Rivek Raj Tamang (RivuDon), a Security Researcher, Bug Hunter, and an Ethical Hacker currently pursuing Master’s in Cybersecurity.

Here’s how I was able to takeover a subdomain and got a Hall Of Fame.

Feel free to connect and get in touch with me, you can find out more about me on my linkedin, I am active there.

So, let’s start with another tale of how I was able display my Name and my Linkedin Profile on a live website which lead to me getting a Hall of Fame as well.

The start of a tale

Lets start

Hungry for the love of Bug hunting and cybersecurity, A beginner set out to learn and research about vulnerabilites on the wild.

So I choose Subdomain Takeover for this time. What is actually a Subdomain Takeover ?

A subdomain takeover is a vulnerability where an attacker gains control over an unused subdomain, often by exploiting unclaimed DNS records pointing to external services. This allows them to host malicious content under the target’s domain.

In short and simple words It is one of the most coolest and rad bug in the Bug hunting scene, Just imagine if you could takeover a website of google and use it according to your desire.

For example www.google.com however in a subdomain takeover you could takeover a subdomain of google and use it yourself. rivudon.google.com.

This bug/vulnerability usually happens when the main domain organization have failed to properly configure or set correct security measures so that other attackers can take over it.

The recon

The hunt for subdomain

So, to learn about this vulnerability I simply researched on the Internet, What is it ? How can it be performed ? How has it been performed by others ? etc, I follow the same method for all other vulnerability research and practice.

You could do the same.

Firstly know about the vulnerability and how it happens.

Learn about the “definition of Subdomain Takeover

Learn about “how to perform Subdomain Takeover

Watch Video POCs on youtube for it “Subdomain Takeover POC

Read articles about “Subdomain Takeover

Learn about successful “Subdomain Takeover Reports on Hackerone

Gather “tools and resources for Subdomain Takeover”

With all this research, time and effort I head out to hunt for it on live websites.

The fight and failures

The hunt begins

So I selected a target for example frieza.com

I firstly collected a list of subdomains for it, like usual that any Bug hunter would do.

Then check if any subdomain is showing 404 error or not.

You can use httpstatus.io for bulk list checking

Then collect the list of subdomains which are showing 404 and check their cname using nslookup and check if the name is showing differently than the domain for example aws, firebase, github etc.

nslookup target.com 

Then finally check if it is vulnerable and you could take over it or not at Github can-i-take-over-xyz They have listed several services and how you could take over it.

With all these steps you could successfully takeover a subdomain.

However, The steps seems simple, the videos of the subdomain takeover seemed simple but I kid you not, I went on hunting on several websites from one to another and I was not successful at all. So much so I stopped looking for it, However I had done the research and updated my methodology and checklist, also read tons of articles on it.

The power up

After several unsuccessful attempts to takeover a subdomain on several targets, I learnt more and more about how to find it and gathered tools and techniques to find it.

Tools like subzy and subjack however they give many false positives and are not reliable.

So after many trials I failed and after few months.

The victory

The Victory

So after several weeks of Hunting for Subdomain Takeover, One fine day like usual running through my checklist on a target Basf.com I ran a nuclei one liner for subdomain takeover.

nuclei -l alive.txt -t nuclei-templates/http/takeovers/ -o subtakeover.txt 

I am not into automation that much, I have only recently started learning and using it but, this time I saw a pop up saying vulnerable to Subdomain Takeover, I had never seen this running the nuclei so I went to check manually thinking it as another false positive.

The page was showing 404 error

So I quickly looked over the Internet on how to take over a subdomain via Github Pages and found that it is an edge case but I had to try my luck.

So I learnt how to setup and configure and followed all the instructions and Guess what ?

* autonomous sound *
Subdomain Takeover Successful !!

The End for today

I quickly reported my findings, video poc and attachments. Wrote a beautifully framed bug report with all the essentials of a good bug report.

Note: Hit me up for a 1 time workshop on a how to write a great bug report.

Their reply

I knew for a fact that a subdomain takeover was generally a medium-high severity, But the reply meant that I had to wait for several days or even weeks, and not to mention It could go duplicate as well. But deep down I knew my first Subdomain Takeover is going to be fruitful !

On the same day itself,

I got another mail

Hall of Fame
Power level 5 Sextillion First Ultra Instinct

We did it ! Our First Subdomain Takeover also the Hall Of Fame was a special one because I completed 10 Hall of Fames with this one. Which I had my goal set for the year end. I am happy, grateful and proud to have achieved what I set out. I even got my first Bounty while collecting the same 10 Hall of Fame as well. With this I would like to end this writeup for today until next time.

For everyone out there who faces doubts or setbacks, remember:
“𝑩𝒆𝒍𝒊𝒆𝒗𝒆 𝒊𝒏 𝒚𝒐𝒖𝒓𝒔𝒆𝒍𝒇, 𝒃𝒆𝒄𝒂𝒖𝒔𝒆 𝒊𝒇 𝒚𝒐𝒖 𝒅𝒐 𝒏𝒐𝒕, 𝒘𝒉𝒐 𝒆𝒍𝒔𝒆 𝒘𝒊𝒍𝒍?”

Keep working hard, and eventually it will definitely be fruitful.

Link to my linkedinpost regarding the same.

Stay tuned for more tips and tricks on my bug bounty journey, and don’t hesitate to reach out for advice or collaboration!. I will be writing more in the future for sure and sharing my findings, tips and tricks to contribute to the community i learn from everyday.

We also have a community of hackers and bug bounty hunters on whatsapp group feel free to join: https://chat.whatsapp.com/DD3NTchIGlF9Fg1tRMSpPs

Feel Free to connect with me on linkedin: https://www.linkedin.com/in/rivektamang/

Support me to write more content like this by buying me a coffee at buymeacoffee.com/RivuDon

The end.

--

--

Rivek Raj Tamang ( RivuDon )
Rivek Raj Tamang ( RivuDon )

Written by Rivek Raj Tamang ( RivuDon )

Cyber Security | Ethical Hacker | Tech | Lifestyle LinkedIn: @RivekRajTamang

No responses yet