Dangling DNS: Announcekit
Another service vulnerable to subdomain takeover
This post is the write-up about subdomain takeover vulnerable service Announcekit that I found. Although this is a paid service, It's possible to create PoC without having to purchase the service during trial period.

Announcekit.app

AnnounceKit is a user communication platform that helps you announce product updates to increase feature adoption.

Service Detection

CNAME record should be pointing to cname.announcekit.app
1
akit-tk.melbadry9.xyz. 42 IN CNAME cname.announcekit.app.
Copied!
I use the following Nuclei template to check for possible candidates.
1
id: detect-announcekit
2
3
info:
4
name: Announcekit service detection
5
author: melbadry9
6
severity: info
7
tags: dns
8
9
dns:
10
- name: "{{FQDN}}"
11
type: CNAME
12
class: inet
13
recursion: true
14
retries: 2
15
matchers:
16
- type: word
17
words:
18
- "cname.announcekit.app"
Copied!

Takeover Detection

To verify whether subdomain takeover may be possible we should see a similar error page.
Vulnerable Subdomain Error Page

Fingerprint

To detect vulnerable subdomain we use the following fingerprint based on HTTP response we confirm whether subdomain is vulnerable or not.
1
{
2
"status_code": 404,
3
"text": [
4
"Error 404 - AnnounceKit"
5
]
6
}
Copied!
I use the following Nuclei template to check for vulnerable subdomain.
1
id: announcekit-takeover
2
3
info:
4
name: Announcekit Takeover Detection
5
author: melbadry9
6
severity: high
7
tags: takeover
8
reference: https://announcekit.app/docs/custom-host
9
10
requests:
11
- method: GET
12
raw:
13
- |
14
GET / HTTP/2
15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
16
17
redirects: true
18
max-redirects: 1
19
20
matchers-condition: and
21
matchers:
22
- type: word
23
words:
24
- 'Error 404 - AnnounceKit'
25
26
- type: status
27
status:
28
- 404
Copied!

Takeover Steps

  • Register an account on AnnounceKit
  • Go to https://announcekit.app/dashboard/settings/feeds
  • Set Custom Hostname to subdomain we want to takeover akit-tk.melbadry9.xyz
Takeover Steps
  • Visit https://kit-tk.melbadry9.xyz
PoC

Can I takeover XYZ? - Issue

I have opened an issue on GitHub regarding this service:
Announcekit vulnerable to subdomain takeover · Issue #228 · EdOverflow/can-i-take-over-xyz
GitHub