How Recon helped me to to find a Facebook domain takeover
Hope you all are doing good.In this writeup I am going to tell you how I was able to takeover a domain which was owned by Facebook.
After my final exams got over,I setup some goals in which fb hof was one of them.Had to go through some N/As and informative reports.But finally I did it.
Here we Go ,
So if you go to https://www.facebook.com/whitehat/info/ you will find that their acquisitions ,partnerships are also inscope of their program.You can say that everything which they own is in scope excluding few domains only.So without wasting time I started collecting the domains which are owned by Facebook.
What’s the best way to find all the domains which are owned by a particular company ?
Before you move ahead I recommend you to read his article.
Horizontal domain correlation:
Let’s start by checking the whois result of facebook.com
Look at the Registrant email it’s firstname.lastname@example.org you can use this email to find all the other sites which have the same registrant email as facebook.com
For reverse WHOIS I found this site https://tools.whoisxmlapi.com/reverse-whois-search really helpful. Or else you can use https://viewdns.info but there the results are limited and also tools like domlink or amass can be used for horizontal domain correlation as mentioned by @0xpatrik in his article.
Just go to https://tools.whoisxmlapi.com/reverse-whois-search and in the search field,enter the email.
We got around 2,756 unique domains which all have “email@example.com” in their whois scan result.
Now just don’t get stop here, we can still get some more domains last time we used the Registrant email , now this time we will use the Registrant Name and let’s see the difference now.
Cool this time we get more domains than before around 3,441.
Now let’s remove the duplicate ones.Save all this in one file.Then
sort filename | uniq |tee outputFileName
So finally we have around 4k unique domains, which have either Facebook Inc or firstname.lastname@example.org in their whois scan result.You can still get some more domains use something else this time other than registrant email or name which you found common in the already collected domains.
cat fb2.txt | ~/tools/filter-resolved |tee live-domains.txt
Then I used subfinder, to find all the subdomains of the domains which were in live-domains.txt file.
subfinder -dL live-domains.txt -o subdomains.txt
Repeating the same process again, use filter-resolved for resolving all the subdomains which we found using subfinder.
Moving towards the last step, I used webscreenshot for taking screenshots of the subdomains.
And while going through the screenshots I found this domain www.buckbuild.com
Followed this article : https://0xpatrik.com/takeover-proofs/
Then I uploaded something to verify the takeover was successful or not.And yeah!! here we go ,found my first subdomain takeover.
July. 08— Initial Report
July 11— Report Triaged
July 12 — Fixed
July. 17— Bounty awarded $500
Thankyou for reading it till the end.I hope you enjoyed reading it.
Well one thing which I want to share is after the screenshot part was done, I didn’t bother to look at them as they were all looking same ,I was like there’s no point in going through them other hunters might have already looked at those domains, so I left it.Then after a 2–3days again I looked at it and you all know what happened next.
Guys believe in yourself don’t feel like you will not find anything just because others are also looking at the same thing so your chance is less of finding something there.