http://fig.example.com/on the browser, It showed nothing but a blank page with empty _HTML _code, So I decided to brute force directories using Dirsearch. When I found
http://fig.example.com/includes/a directory with directory listing enabled.
goose.example.comwith the same issue. How did I figure it out? Simply it was redirecting to a different site.
github.example.commaybe it will help me identify other subdomains with the same issue.
pilot.example.comAnd this turned out very helpful as I found an SSL certificate issued for a totally different Org.
henry.example.com, And again SSL certificate was issued for a different Org.
ip:184.108.40.206And check for crawled data.
“What happened to that IP tied to that EC2 instance that you just killed? Well, when you terminate an instance, that IP address isn’t put to waste. Instead, it’s reused by other AWS customers. There is a massive pool of IP addresses that are constantly being recycled and trusted by various organizations and people.”
Arecord, without using elastic IP. If the EC2 instance is killed or terminated and the DNS is not updated, this will lead to creating a dangling DNS record for the subdomain. Then EC2 IP will be released to the AWS IP pool, which means it’s possible to assign the IP to a new EC2 instance.
N/A, As mentioned before. Avoid managed bug bounty programs as they require a PoC file.