Dangling DNS: Announcekit
Another service vulnerable to subdomain takeover
This post is the write-up about the subdomain takeover vulnerable service Announcekit that I found. Although this is a paid service, It's possible to create PoC without purchasing the service during the trial period.

AnnounceKit is a user communication platform that helps you announce product updates to increase feature adoption.

CNAME record should be pointing to cname.announcekit.app
akit-tk.melbadry9.xyz. 42 IN CNAME cname.announcekit.app.
I use the following Nuclei template to check for possible candidates.
id: detect-announcekit
info:
name: Announcekit service detection
author: melbadry9
severity: info
tags: dns
dns:
- name: "{{FQDN}}"
type: CNAME
class: inet
recursion: true
retries: 2
matchers:
- type: word
words:
- "cname.announcekit.app"

We should see a similar error page to verify whether the subdomain takeover may be possible.
Vulnerable Subdomain Error Page

To detect a vulnerable subdomain, we use the following fingerprint based on the HTTP response. we confirm whether the subdomain is vulnerable or not.
{
"status_code": 404,
"text": [
"Error 404 - AnnounceKit"
]
}
I use the following Nuclei template to check for the vulnerable subdomain.
id: announcekit-takeover
info:
name: Announcekit Takeover Detection
author: melbadry9
severity: high
tags: takeover
reference: https://announcekit.app/docs/custom-host
requests:
- method: GET
raw:
- |
GET / HTTP/2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
redirects: true
max-redirects: 1
matchers-condition: and
matchers:
- type: word
words:
- 'Error 404 - AnnounceKit'
- type: status
status:
- 404

  • Register an account on AnnounceKit
  • Go to https://announcekit.app/dashboard/settings/feeds
  • Set Custom Hostname to the subdomain, we want to takeover akit-tk.melbadry9.xyz
Takeover Steps
  • Visit https://kit-tk.melbadry9.xyz
PoC

I opened an issue on GitHub regarding this service:
Announcekit vulnerable to subdomain takeover · Issue #228 · EdOverflow/can-i-take-over-xyz
GitHub
Copy link
On this page
Announcekit.app
Service Detection
Takeover Detection
Fingerprint
Takeover Steps
Can I takeover XYZ? - Issue