Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adding Pantheon #24

Closed
dxxzero opened this issue Jul 23, 2018 · 53 comments
Closed

Adding Pantheon #24

dxxzero opened this issue Jul 23, 2018 · 53 comments
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.

Comments

@dxxzero
Copy link

dxxzero commented Jul 23, 2018

Hey,

I just wanted to submit another website: Pantheon.

Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

@codingo
Copy link
Collaborator

codingo commented Jul 27, 2018

Just letting you know we're not ignoring this one - just trying to carve out some time to properly test it.

@dxxzero
Copy link
Author

dxxzero commented Jul 27, 2018

Sure, take your time. Thanks for the follow up information!

@EdOverflow EdOverflow added the vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service. label Sep 9, 2018
@codingo
Copy link
Collaborator

codingo commented Apr 11, 2019

Resolved with #83

@codingo codingo closed this as completed Apr 11, 2019
@omaramin17
Copy link

omaramin17 commented Apr 22, 2020

i think it doesn't work anymore

@agrawalsmart7
Copy link

Yup agreed with @omaramin17.

@aadityao1
Copy link

Hey,

I just wanted to submit another website: Pantheon.

Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

Did you find fix for this?

@cyberblackhole
Copy link

I just tried it and I confirm it is not possible to takeover. Any other update so far?

@wae23123wq
Copy link

I just tried it and I confirm it is not possible to takeover. Any other update so far?

Is it not possible to takeover on pantheon anymore?

@pdelteil
Copy link
Contributor

pdelteil commented Sep 23, 2020

I just took over many patheon subdomains.

You need to activate your account using a credit card. I used a virtual credit card and it worked for free.

@aadityao1
Copy link

pantheon is vulneable

Did many takeover this month

@cyberblackhole
Copy link

@aadityao1 @pdelteil can you please mention the steps in detail.

@pdelteil
Copy link
Contributor

Sure, I will, just need some time.

@rockybhai0516
Copy link

@pdelteil update the steps bro

@united36
Copy link

Hello,

Any dork for this?

@spencer5cent
Copy link

Hey, I recently found a page with the Pantheon 404 error. I made an account and paid the $50 dollar signup fee. But when I tried to add the vulnerable subdomain, it gave me a “this domain belongs to another organization.” So I cant say for sure if it’s totally impossible to takeover in all situations, but for me it didn’t work and sadly lost money in the process. Thanks for your work!

@pdelteil
Copy link
Contributor

Sure, I will, just need some time.

Here..

https://pdelteil.medium.com/how-i-took-over-several-stanford-subdomains-also-let-me-explain-you-the-pain-to-report-it-d84b08704be8

I used a virtual credit card with no funds to bypass the payment step.

@pdelteil
Copy link
Contributor

I can confirm it's possible still to take over Pantheon domains.

Using a virtual credit card I managed to bypass the payment of 50 dollars.

@pdelteil
Copy link
Contributor

pdelteil commented Aug 5, 2021

I can confirm it's possible still to take over Pantheon domains.

Using a virtual credit card I managed to bypass the payment of 50 dollars.

It might not be vulnerable anymore.

;
; ANSWER SECTION:
xx.yy.com. 120 IN	CNAME	xx.yy.com.
zz.yy.com. 120	IN	A	23.185.0.3


Screenshot from 2021-08-04 22-29-34

@Dum7c
Copy link

Dum7c commented Sep 10, 2021

Is there an up-to-date way to get around the $50 payment?

@pdelteil
Copy link
Contributor

Reach me over twitter if you need to test a takeover

@pdelteil
Copy link
Contributor

pdelteil commented Oct 5, 2021

I think it's not possible to perform this take over anymore.

Screenshot from 2021-10-05 15-04-32-2

@pdelteil
Copy link
Contributor

pdelteil commented Oct 6, 2021

So, this is a edge case. Since some subdomains are vulnerable, while others are not. I don't know the reason.
Just will just need to try if the take over works.

@Phoenix1112
Copy link

@pdelteil Although a site using pantheon does not have the word "dev" in its cname, this subdomain adds "dev-" to the beginning when I take over the address. what is the reason of this?

@pdelteil
Copy link
Contributor

@pdelteil Although a site using pantheon does not have the word "dev" in its cname, this subdomain adds "dev-" to the beginning when I take over the address. what is the reason of this?

I don't really know, that seems to be new on the site.

@niemand-sec
Copy link

Is this still possible? I have access to the Basic subscription, however, I'm getting the error:

You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support.

Maybe the company has an enterprise subscription with the domain that causes this error?

@pdelteil
Copy link
Contributor

Is this still possible? I have access to the Basic subscription, however, I'm getting the error:

You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support.

Maybe the company has an enterprise subscription with the domain that causes this error?

Hello, I haven't tried lately. If you can't add a specific domain doesn't mean you can't add others.

@niemand-sec
Copy link

Thanks for the answer @pdelteil , what do you mean with others? Despite of not being able to add vuln.company.com, what would be the purpose of adding not-vuln.company.com. I would really appreciate if you could explain further.

Thanks!

@pdelteil
Copy link
Contributor

pdelteil commented Dec 30, 2021

Thanks for the answer @pdelteil , what do you mean with others? Despite of not being able to add vuln.company.com, what would be the purpose of adding not-vuln.company.com. I would really appreciate if you could explain further.

Thanks!

What I meant is, if one domain is not vulnerable doesn't mean other domains are not vulnerable. You just need to try them all.

@pdelteil
Copy link
Contributor

Guys just dont ask this b*tch for help : @pdelteil He will know the vulnersble domain from you , and try to block you for literally no valid reason !

Reach me over twitter if you need to test a takeover

I won't tolerate abusive and rude behavior. I have helped many researchers, almost all of them were respectful and we agreed on the terms of the collaboration.

You insulting me describes very well your character.

@abd-4fg
Copy link

abd-4fg commented Feb 27, 2022

@pdelteil I regret asking for help from you..
All i needed was to confirm whether the domain can be hosted or not (because i dont have pantheon professional account), of which i didnt get the answer ...Instead you asking for program details .?!

Since you know the domain name now, go ahead report it , i dont care now !

@vansh1
Copy link

vansh1 commented Mar 8, 2022

@pdelteil what's your Twitter i want to get subdomain checked

@pdelteil
Copy link
Contributor

pdelteil commented Mar 8, 2022

@pdelteil what's your Twitter i want to get subdomain checked

Hi, I don't longer have a paid account on Pantheon.

@FarjaalAhmad
Copy link

anybody did do a recent takeover on pantheon? and have a subscription?

@Cvar1984
Copy link

Cvar1984 commented Aug 1, 2022

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

@FarjaalAhmad
Copy link

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

do you have a subscription? if yes, please mention your twitter.

@Cvar1984
Copy link

Cvar1984 commented Aug 2, 2022

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

do you have a subscription? if yes, please mention your twitter.

yes, i have basic plan i take some of juicy domain out there

image

@FarjaalAhmad
Copy link

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

do you have a subscription? if yes, please mention your twitter.

yes, i have basic plan i take some of juice domain out there

image

check your Twitter DM. Thanks.

@ro-fes
Copy link

ro-fes commented Jan 25, 2023

anybody did do a recent takeover on pantheon?

@learnerboy88
Copy link

can someone help me takeover this

@pdelteil
Copy link
Contributor

pdelteil commented Feb 9, 2023

can someone help me takeover this

You can reach me over twitter: philippedelteil

@oran0s
Copy link

oran0s commented Feb 20, 2023

Can someone please help me to takeover a subdomain registered to pantheon,
it's in a bug bounty program, but i don't have money, So I want to get private invites at least to start my journey and I won't get it without finding vulnerabilities, can someone please help me to takeover it ?

@krkeeper-bh
Copy link

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

  • Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

@Yahy2
Copy link

Yahy2 commented Mar 9, 2023

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

  • Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

is it patched already?

@oran0s
Copy link

oran0s commented Mar 9, 2023

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

  • Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

I'm trying to message you but you don't recieve messages, you probably disabled inbox in twitter

@krkeeper-bh
Copy link

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

  • Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

is it patched already?

Currently I have been able to verify that depending on the DNS configuration on the server side, the subdomain belonging to the domain "pantheonsite.io" can be acquired, obtaining as a consequence the primary DNS "blog.redacted.com" with "dev-redacted.pantheonsite.io" .
Sometimes certain servers do not reflect the change due to lack of verification or something I miss :/

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

  • Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

I'm trying to message you but you don't recieve messages, you probably disabled inbox in twitter

Sorry for the delay, it's already enabled.

@oran0s
Copy link

oran0s commented Mar 16, 2023

I'm trying to message you but you don't recieve messages, you probably disabled inbox in twitter

Sorry for the delay, it's already enabled.

Still can't message you, You can message me then @Ma3en188

@gosusnkr
Copy link

gosusnkr commented Jun 1, 2023

Hi There,

After reading this conversation, I want to understand my vulnerability.

I found a pantheon-takeover vulnerability on my target using nuclei. I tried to exploit it by referring blogs, registering a domain (not sandbox), and purchasing a basic plan subscription. However, I received an error You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support when I entered my victim domain in Domains/HTTPS.

I need some guidance on what I might be doing wrong. Should I upgrade to a professional subscription or create a domain in the sandbox with a basic subscription? or does this vulnerability not work anymore?

@pdelteil will you help? Sent you a DM on twitter.

@waelahmed-dev
Copy link

Reach me over twitter if you need to test a takeover

Hey can you dm me twitter for testing takeover? I can't send a message to you
my twitter id is: waeldevx

@hoshigakikisame
Copy link

Anyone open for collab? I have case to investigate, but I don't have valid pantheon account to test.
Thanks.

@proabiral
Copy link

Anyone open for collab? I have case to investigate, but I don't have valid pantheon account to test. Thanks.

@hoshigakikisame dm me on Twitter

@hoshigakikisame
Copy link

@proabiral I've sent you a dm.

@testusername911
Copy link

Looks like Pantheon takeovers are not possible anymore... unless someone finds a "bypass" in the future.

https://status.pantheon.io/incidents/53pq1528p18d

@hoshigakikisame
Copy link

Yeah, I didn't get any luck either in the last case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerable Someone has provided proof in the issue ticket that one can hijack subdomains on this service.
Projects
None yet
Development

No branches or pull requests