Exploring Subdomains: From Enumeration to Takeover Victory
If you enjoy what I do, please support me Buy Me Ko-fi! https://ko-fi.com/h0tak88r
In the name of ALLAH the most gracious the most merciful
So today i will talk about how i got my critical subdomain takeover on ford motors
Ford is a family company, one that spans the globe and has shared ideals. We value service to each other and the world as much as to our customers. Generations ...
Choose target

Subdomain enumeration
First i collected subdomains using subfalcon
# Tool link: https://github.com/h0tak88r/subfalcon
go install github.com/h0tak88r/subfalcon/cmd/subfalcon@latest
# Usage
subfalcon -l domains.txt
# Results saved to subfalconResults.txt

Subdomain Takeover checking
So here i used my another go tool subov88r
# Tool Link
https://github.com/h0tak88r/subov88r
# Install
go install github.com/h0tak88r/subov88r@latest
# passing subfalcon results to subov88r
subov88r -f subfalconResults.txt
The results was something like

the result that talk my attention was like
[ www.<subdomain>.ford.com, <subdomain>.trafficmanager.com, NXDOMAIN] Possiply Vulnerable to subdomain takeover vulnerability
So i quickly started to look into this subdomain but the httpx
tool didn't recognize this subdomain as a valid domain
Then i decided to see this subdomain in the browser and as i expected\

Ok let's check can i take over xyz project
https://github.com/EdOverflow/can-i-take-over-xyz/issues/35 Oh no they say that it is not vulnerable

Still, I didn't give up. I decided to investigate on my own, and guess what? I found out that there was indeed an issue, and I successfully took control of it. It's always good to double-check! 🛡️🌐
Undeterred, I decided to manually investigate, and voila! Success – I managed to take over the CNAME <vulnerable>.trafficmanager.com
. Always good to verify! 🛡️🌐

Then reported the issue with HIGHT severity and the Team changed the severity to Critical and triaged my report Update: Issue Resolved !!

Last updated
Was this helpful?