Dangling DNS: Announcekit
This post is the write-up about subdomain takeover vulnerable service Announcekit that I found. Although this is a paid service, It's possible to create PoC without having to purchase the service during trial period.
AnnounceKit is a user communication platform that helps you announce product updates to increase feature adoption.
CNAME record should be pointing to cname.announcekit.app
akit-tk.melbadry9.xyz. 42 IN CNAME cname.announcekit.app.
I use the following Nuclei template to check for possible candidates.
id: detect-announcekitinfo:name: Announcekit service detectionauthor: melbadry9severity: infotags: dnsdns:- name: "{{FQDN}}"type: CNAMEclass: inetrecursion: trueretries: 2matchers:- type: wordwords:- "cname.announcekit.app"
To verify whether subdomain takeover may be possible we should see a similar error page.
To detect vulnerable subdomain we use the following fingerprint based on HTTP response we confirm whether subdomain is vulnerable or not.
{"status_code": 404,"text": ["Error 404 - AnnounceKit"]}
I use the following Nuclei template to check for vulnerable subdomain.
id: announcekit-takeoverinfo:name: Announcekit Takeover Detectionauthor: melbadry9severity: hightags: takeoverreference: https://announcekit.app/docs/custom-hostrequests:- method: GETraw:- |GET / HTTP/2Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8redirects: truemax-redirects: 1matchers-condition: andmatchers:- type: wordwords:- 'Error 404 - AnnounceKit'- type: statusstatus:- 404
Register an account on AnnounceKit
Go to
https://announcekit.app/dashboard/settings/feedsSet
Custom Hostnameto subdomain we want to takeoverakit-tk.melbadry9.xyz
Visit
https://kit-tk.melbadry9.xyz
I have opened an issue on GitHub regarding this service:
