How I got rewarded with a Telescope from Celestron, one of the world’s leading telescope manufacturers.
Hi. This is Febin, Junior Cyber Security Engineer.
In this article I am gonna explain, how I got a Telescope as a reward from Celestron for finding a subdomain takeover vulnerability on their site.
I am not only interested in Hacking, Red teaming and AppSec but also interested in Astronomy, Stargazing, Reading about Astrophysics and Cosmology. So, it’s been a dream to have a telescope at my home, but I didn’t have enough money to have that. Then I thought to move it to the next level. What about hacking one of the leading Telescope companies, report the vulnerabilities to them and get a telescope from them as a bounty or reward? And Yes, this is exactly what I did.
Lets move to the technical side.
First I took Celestron as a target. I went to celestron.com which is their main e-commerce site, and I tried many things like XSS, CSRF, SSTI etc.. but none of them worked, which is expected as it’s based on Shopify ecommerce platform . Later I enumerated all of celestron.com’s subdomains using “Subfinder” and stored them in a text files.
subfinder -d celestron.com -silent > celestron.txt
Then, I used “httprobe” to enumerate valid subdomains from the list.
cat celestron.txt | httprobe
There, I found something interesting. I got all the subdomains valid, httprobe thrown every subdomain URLs are valid. So, I copied one of the URLs and opened it in my browser, there I found this:
Boom! They somehow misconfigured the DNS to redirect all the subdomains to redirect to Shopify that mean anyone probably an attacker can claim the subdomains via Shopify.
To prove the Vulnerability, I created a trial account in Shopify, created a demo Site there and added home.celestron.com to my Shopify Domain config like in the below image.
Then I opened home.celestron.com in another tab. Surprise! Surprise!
The subdomain home.celestron.com was hijacked by me.
I reported this to Celestron, the IT department fixed the issue and agreed to gift me a nice telescope. And after a couple of weeks I got the “Celestron StarSense Explorer 80AZ” telescope, shipped from their head quarters, Torrance, California, USA.
Now, Lets take a look into subdomain takeover attacks.
What is Subdomain takeover?
A subdomain takeover occurs when an attacker gains control over a subdomain of a target domain. Typically, this happens when the subdomain has a canonical name (CNAME) in the Domain Name System (DNS), but no host is providing content for it. This can happen because either a virtual host hasn’t been published yet or a virtual host has been removed. An attacker can take over that subdomain by providing their own virtual host and then hosting their own content for it.
If an attacker can do this, they can potentially read cookies set from the main domain, perform cross-site scripting, or circumvent content security policies, thereby enabling them to capture protected information (including logins) or send malicious content to unsuspecting users.
A subdomain is like an electrical outlet. If you have your own appliance (host) plugged into it, everything is fine. However, if you remove your appliance from the outlet (or haven’t plugged one in yet), someone can plug in a different one. You must cut power at the breaker or fuse box (DNS) to prevent the outlet from being used by someone else.
What is the Impact?
Impact:
The nature of the third-party service (if any) that the vulnerable subdomain points to. Does the vendor offer little to no customization, or does it allow you to modify the style of the landing page via custom JavaScript or CSS code? Does it restrict you to serving static content, or is it a full-blown platform-as-a-service (PaaS) offering on which you can deploy a Web server?
The purpose and popularity of the vulnerable subdomain. What was the subdomain used for before becoming vulnerable? Was it used to simply host API documentation or was it instead used to authenticate users? Is the subdomain still receiving traffic? Is the subdomain name long and obscure (e.g., exctxzzxxp09.test.example.org) or short and simple and, thus, unlikely to raise suspicion (e.g., auth.example.org)?
The trust relationship that the organization’s other Web assets have with the vulnerable subdomain. Would example.org blindly trust requests originating from the vulnerable subdomain? Would it accept to share sensitive data with that subdomain? Would it accept to load and execute JavaScript code hosted on that subdomain?
Now that you have a better idea of what factors into the impact of a subdomain takeover, let’s see how a malicious actor might exploit one.
Defacement
If possible, an attacker may decide to change the appearance of pages served by the vulnerable example.org subdomain to openly ridicule or embarrass your organization. This is exactly what happened in February 2017, when a hacker took control of secure2.donaldjtrump.com, a subdomain of Donald Trump's campaign-fundraising website, and left there a message that... well... did not really fall in line with the Trump campaign's strategy.
