1 00:00:01,700 --> 00:00:04,220 Hello, everyone, and welcome to this video. 2 00:00:05,030 --> 00:00:09,510 In this video, we are going to see subdomain take-over on Tumblr. 3 00:00:10,190 --> 00:00:18,350 Many of us use Tumblr for seeing some of the awesome graphic content or pictures or images, but we 4 00:00:18,350 --> 00:00:22,580 do not know that Tumblr also provides custom. 5 00:00:22,580 --> 00:00:32,000 URL or domains and there are many organizations who point their subdomains to the Tumblr, but 6 00:00:32,150 --> 00:00:33,310 forget to claim them. 7 00:00:34,040 --> 00:00:41,370 Now, here it becomes very, very important for security researchers and bug bounty hunters wherein 8 00:00:41,420 --> 00:00:50,390 they can claim those unclaimed subdomains which are being pointed to Tumblr and show a successful demonstration 9 00:00:50,390 --> 00:00:51,710 of subdomains take over. 10 00:00:52,580 --> 00:00:53,120 All right. 11 00:00:53,210 --> 00:00:57,740 So let's quickly see how can we do this into the practical time. 12 00:00:59,390 --> 00:01:03,220 So for that, what I'm going to do is on to my terminal. 13 00:01:03,230 --> 00:01:08,840 I'm going to fire up the command, which is find domain to get the domain names for the target, which 14 00:01:08,840 --> 00:01:12,730 is srsecure.xyz and hit enter. 15 00:01:13,700 --> 00:01:16,250 Let's wait for this to give me the results. 16 00:01:16,430 --> 00:01:19,550 I'm expecting those results to come really, really quick. 17 00:01:20,030 --> 00:01:27,020 And after we have got those results from that, we are going to identify some of the subdomains to be 18 00:01:27,030 --> 00:01:27,680 vulnerable. 19 00:01:28,820 --> 00:01:33,770 As you can see, we have got the 47 subdomains in mere nine seconds. 20 00:01:34,640 --> 00:01:41,360 And if you have a close look at the subdomains from here, I'm going to choose one of the subdomain, 21 00:01:41,360 --> 00:01:45,980 which is, let's say from this, we are going to choose a subdomain, which is. 22 00:01:47,560 --> 00:01:51,370 Tumblr.srsecure.xyz 23 00:01:53,080 --> 00:02:01,380 So let me see if it has been crawled or not, because I have recently created a subdomain which is 24 00:02:01,390 --> 00:02:03,670 tumblr.srsecure.xyz 25 00:02:04,150 --> 00:02:15,220 Now, when I create subdomains, it may take some time for the DNS crawlers or these crawlers like Google 26 00:02:15,220 --> 00:02:24,540 or Virus Total or Sublister or Facebook or CERT transparency logs of cert.sh to crawl them. 27 00:02:24,970 --> 00:02:32,770 So it may take some time to reflect over here, but to show the proof of concept, I have created a 28 00:02:33,160 --> 00:02:37,660 vulneranleble subdomain which is tumblr.srsecure.xyz 29 00:02:38,170 --> 00:02:42,580 Now if I try to ping this, let us see if this will work or not. 30 00:02:42,950 --> 00:02:44,380 So I'm just going to ping this. 31 00:02:45,650 --> 00:02:53,300 And hit enter and you can see I'm getting a reply, which means the domain is active and it is not a 32 00:02:53,300 --> 00:02:54,500 dead subdomain. 33 00:02:55,280 --> 00:02:55,790 All right. 34 00:02:56,090 --> 00:03:00,190 So let's quickly do a whois and see from where are we getting the reply from. 35 00:03:00,680 --> 00:03:10,360 So we are getting a reply from this particular domain, which is the organization name is given as automattoque. 36 00:03:11,550 --> 00:03:12,080 All right. 37 00:03:12,230 --> 00:03:16,410 So we are getting the reply from this particular organization. 38 00:03:16,430 --> 00:03:22,880 Now, Tumbler may have hosted of its own of the domain from these IP ranges. 39 00:03:22,880 --> 00:03:27,520 That's what we are getting a reply of from this particular organization name. 40 00:03:28,520 --> 00:03:29,020 All right. 41 00:03:29,210 --> 00:03:39,180 So let's quickly see if what we get when we open this IP over here and you can see it is Tumbler. 42 00:03:39,320 --> 00:03:39,830 All right. 43 00:03:39,850 --> 00:03:40,580 We were correct. 44 00:03:40,580 --> 00:03:45,270 And it is redirecting to Tumblr, as you can see, it automatically redirected. 45 00:03:45,290 --> 00:03:51,550 Let me again type it over here and you can see it will again automatically redirect itself. 46 00:03:51,560 --> 00:03:57,890 As you can see, it is redirecting back to Tumblr all through this, we can confirm the IP belongs to 47 00:03:57,890 --> 00:03:58,440 Tumblr. 48 00:03:58,850 --> 00:03:59,320 All right. 49 00:03:59,690 --> 00:04:02,820 Now, what about the subdomain that we have got? 50 00:04:02,930 --> 00:04:07,980 So let me copy paste this into the browser and let's see what happens. 51 00:04:08,000 --> 00:04:13,010 So I'm going to paste this and you can see we got an error, which is there's nothing here. 52 00:04:14,360 --> 00:04:17,490 All right, and it got redirected back to the main domain. 53 00:04:17,750 --> 00:04:26,420 Let me show it once again tumblr.srsecure.xyz and it will redirect back to the main 54 00:04:26,420 --> 00:04:29,770 domain because there is no domain or nothing over here. 55 00:04:30,440 --> 00:04:34,070 Let me just close this, close this and close this. 56 00:04:34,670 --> 00:04:41,270 Now, as we have identified, the vulnerable subdomain and the fingerprint for this particular tumblr 57 00:04:41,270 --> 00:04:43,760 takeover is there's nothing here. 58 00:04:47,260 --> 00:04:53,920 This is the fingerprint where it says there's nothing here for doesn't whatever you're looking for doesn't 59 00:04:53,920 --> 00:04:54,970 exist over here. 60 00:04:55,240 --> 00:04:55,750 All right. 61 00:04:56,080 --> 00:05:00,450 So now we have identified and we have completed our step number one. 62 00:05:00,910 --> 00:05:07,330 Now, the step number two is to take over the successful subdomain and perform a subdomain takeover. 63 00:05:07,870 --> 00:05:10,390 For that, you just need to create an account. 64 00:05:10,420 --> 00:05:12,700 So I have already created an account. 65 00:05:12,710 --> 00:05:19,540 So let me show you over here as I have logged in, as you can see, I'm logged in over here now. 66 00:05:19,570 --> 00:05:23,650 You just need to click on your username once you click on this username. 67 00:05:24,070 --> 00:05:29,140 As you can see, I have created a node as well, which is PoC of Subdomain Take-Over. 68 00:05:29,560 --> 00:05:32,770 Let me go back to my profile, click it over here and click. 69 00:05:33,870 --> 00:05:37,590 Over here and let me go to settings now. 70 00:05:38,770 --> 00:05:43,490 In the settings you can see, these are the settings of e-mail, password and other settings. 71 00:05:43,540 --> 00:05:45,370 Let me click onto the e-mail setting. 72 00:05:46,570 --> 00:05:50,410 It's not over here, let me click again in the blogs. 73 00:05:50,710 --> 00:05:52,590 Yeah, so it is in the blogs. 74 00:05:52,600 --> 00:05:57,820 When you click on blogs, you will be able to see the blog name over here. 75 00:05:57,850 --> 00:06:01,140 You can see the user name under the user name. 76 00:06:01,150 --> 00:06:04,030 You can see a custom domain. 77 00:06:04,320 --> 00:06:06,280 Now it is asking for a custom domain. 78 00:06:06,520 --> 00:06:09,190 And let's try to put our custom domain so. 79 00:06:09,190 --> 00:06:15,730 Let's say this is our custom domain https:// and click on Testament's. 80 00:06:16,150 --> 00:06:20,950 If you get a message, which is it's good, then it is working perfectly fine. 81 00:06:21,190 --> 00:06:25,080 If we get a message that something is wrong, then it is not working fine. 82 00:06:25,300 --> 00:06:32,710 So let me add Apple dot com over here to show you if what is the wrong message that you get or the false 83 00:06:32,710 --> 00:06:36,970 message for domains which are not which are not pointed to Tumblr. 84 00:06:37,360 --> 00:06:42,760 As you can see, the subdomains name is not pointing to Tumblr, but is the message that you are going 85 00:06:42,760 --> 00:06:47,740 to get in case you have got a false domain, which is not pointed to Tumblr 86 00:06:48,460 --> 00:06:55,630 OK, now let's get back to srsecure and let again click on Test domain and we have got a message. 87 00:06:55,630 --> 00:06:56,670 It says, it's good. 88 00:06:56,860 --> 00:07:01,040 Let me save this once I have saved this. 89 00:07:01,120 --> 00:07:07,050 Now the attacker is successfully able to get this particular Tumblr URL. 90 00:07:07,330 --> 00:07:13,030 So let me just go over here and you can see this is the PoC of subdomain take-over. 91 00:07:13,300 --> 00:07:13,800 Perfect. 92 00:07:14,050 --> 00:07:20,470 Now, we are able to take this particular subdomain successfully and we can post any malicious content 93 00:07:20,470 --> 00:07:25,510 that we want over here because we have the full control of that particular subdomain. 94 00:07:25,960 --> 00:07:33,790 Now, if the original owner wants the subdomain, then we need to delete it from here and we need to 95 00:07:34,000 --> 00:07:35,170 turn this off. 96 00:07:36,280 --> 00:07:43,750 And through this, our subdomain will get disabled and the original program owner can claim it back. 97 00:07:44,170 --> 00:07:51,430 Remember, you have to do this step after and after only when they have identified the vulnerability 98 00:07:51,730 --> 00:07:58,750 and they are providing you a reward, bounty or swag, anything that sort of and you have discussed 99 00:07:58,750 --> 00:08:00,070 with the program owner. 100 00:08:00,070 --> 00:08:05,020 And they want to mitigate this issue in case they want to continue using this subdomain. 101 00:08:05,140 --> 00:08:09,480 You have to delete it from here or basically disable from here. 102 00:08:09,520 --> 00:08:15,130 Or if they do not want this particular subdomain, then they can just directly delete the entry from 103 00:08:15,130 --> 00:08:15,820 their DNS. 104 00:08:16,540 --> 00:08:16,950 All right. 105 00:08:16,960 --> 00:08:21,490 So I hope you guys understood how you can do the subdomain take-over for Tumblr. 106 00:08:21,880 --> 00:08:22,450 Thank you.