This post is about taking over vulnerable subdomains pointing to ngrok service.
A few days back streaak sent me a url and told me to takeover the subdomain using the steps present here: https://github.com/EdOverflow/can-i-take-over-xyz/issues/85
So I setup my ngrok account to takeover the subdomain but they didn’t work as mention in above url , when you run the command
./ngrok http 80 -subdomain cnameentry it should have taken over the subdomain but it didn’t. It will run ngrok on the cname only, not on the actual subdomain.
So I decided to test more and i set up ngrok on my own subdomain to test it.
Take over vulnerable subdomain:
If you visit vulnerable subdomain, error will be:
Tunnel subdomain.example.com not found
check cname entry of subdomain, it will be something like
ngrok http -region=us -hostname=subdomain.example.com 80