Exploring Subdomains: From Enumeration to Takeover Victory

In the name of ALLAH the most gracious the most merciful

So today i will talk about how i got my critical subdomain takeover on ford motors

Ford is a family company, one that spans the globe and has shared ideals. We value service to each other and the world as much as to our customers. Generations ...

Choose target

our target is ford.com domain

Subdomain enumeration

First i collected subdomains using subfalcon

# Tool link: https://github.com/h0tak88r/subfalcon
go install github.com/h0tak88r/subfalcon/cmd/subfalcon@latest

# Usage
subfalcon -l domains.txt
# Results saved to subfalconResults.txt

Subdomain Takeover checking

So here i used my another go tool subov88r

# Tool Link 
https://github.com/h0tak88r/subov88r
# Install
go install github.com/h0tak88r/subov88r@latest
# passing subfalcon results to subov88r
subov88r -f subfalconResults.txt

The results was something like

the result that talk my attention was like

[ www.<subdomain>.ford.com, <subdomain>.trafficmanager.com, NXDOMAIN] Possiply Vulnerable to subdomain takeover vulnerability

So i quickly started to look into this subdomain but the httpx tool didn't recognize this subdomain as a valid domain

Then i decided to see this subdomain in the browser and as i expected

Message that the subdomain may not be valid

Ok let's check can i take over xyz project

https://github.com/EdOverflow/can-i-take-over-xyz/issues/35 Oh no they say that it is not vulnerable

Still, I didn't give up. I decided to investigate on my own, and guess what? I found out that there was indeed an issue, and I successfully took control of it. It's always good to double-check! 🛡️🌐

Undeterred, I decided to manually investigate, and voila! Success – I managed to take over the CNAME <vulnerable>.trafficmanager.com . Always good to verify! 🛡️🌐

Then reported the issue with HIGHT severity and the Team changed the severity to Critical and triaged my report Update: Issue Resolved !!