This post is the write-up about subdomain takeover vulnerable service Announcekit that I found. Although this is a paid service, It's possible to create PoC without having to purchase the service during trial period.
Announcekit.app
AnnounceKit is a user communication platform that helps you announce product updates to increase feature adoption.
Service Detection
CNAME record should be pointing to cname.announcekit.app
1
akit-tk.melbadry9.xyz. 42 IN CNAME cname.announcekit.app.
Copied!
I use the following Nuclei template to check for possible candidates.
1
id: detect-announcekit
2
3
info:
4
name: Announcekit service detection
5
author: melbadry9
6
severity: info
7
tags: dns
8
9
dns:
10
-name:"{{FQDN}}"
11
type: CNAME
12
class: inet
13
recursion:true
14
retries:2
15
matchers:
16
-type: word
17
words:
18
-"cname.announcekit.app"
Copied!
Takeover Detection
To verify whether subdomain takeover may be possible we should see a similar error page.
Vulnerable Subdomain Error Page
Fingerprint
To detect vulnerable subdomain we use the following fingerprint based on HTTP response we confirm whether subdomain is vulnerable or not.
1
{
2
"status_code":404,
3
"text":[
4
"Error 404 - AnnounceKit"
5
]
6
}
Copied!
I use the following Nuclei template to check for vulnerable subdomain.