Giters

EdOverflow / can-i-take-over-xyz

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Campaign Monitor takeover PoC

SSSEAL-C opened this issue · comments

commented

I AM NOT RESPONSIBLE FOR MISUSE OF THIS, THIS GUIDE IS FOR BUG BOUNTY PURPOSES ONLY.

When an unclaimed campaign monitor domain is found here are the steps to follow to upload text and a redirect under the domain.

Takeover

  1. Register an account here https://www.campaignmonitor.com/
  2. Select the option that the account is for just me and my team
  3. Once you are in the dashboard click your icon in the top right for a drop down menu, then click Account settings
    image
  4. Click Customize, then Custom domain.
  5. Paste the domain you found that was vulnerable and click next
  6. Verify the DNS and then return to the overview page
  7. You have now stolen the domain

Text Upload (PoC)

  1. Go to campaigns
  2. Create a new campaign, the campaign name does not matter.(do not use repeat names)
  3. Click Design Email, then Import HTML
  4. Just make a very basic HTML file somewhat like the following:
<html><body><p>PoC Takeover by ...</p></body></html>
  1. Upload that file as the HTML page and press Start import.
  2. Ignore the assistant, press Save & next.
  3. Add a default Subject and make the sender your email, and then make the recipients a different email.
    Subject: PoC
    From: myemail@example.com
    To: mydummyemail@example.com

Note: You might have to add the recipient to an email list, just go there and do so then use that list.

  1. Click Prepare to send, Send immediately and just press continue and send.
  2. Check your dummy email, also check spam for your email, the subject will be the name of the campaign.
  3. Once you have recieved the email you will see the HTML we uploaded, now we have to get the url, to do this you must do the following in order:
  4. Copy the link to unsubscribe DO NOT OPEN IT, COPY IT
  5. The URL will be somewhat like this: example.com/t/y-u-nstjdy-dljljrtluk-l/
  6. Modify it as so: example.com/t/y-e-nstjdy-dljljrtluk-b
  7. Open the modified link
  8. The link you open will redirect to a longer URL with your PoC text! Submit the short link as your PoC

Redirect

  1. Go to campaigns
  2. Create a new campaign, the campaign name does not matter. (do not use repeat names)
  3. Click Design Email, then Use a template
  4. Pick any template you see that has a button. eg. Newsletter
  5. Once the template editor is open, click one of the buttons to edit them.
  6. Change the button text to 'PoC' or something memorable, and change the URL to the desired URL destination.
  7. Click Save & next.
  8. Add a default Subject and make the sender your email, and then make the recipients a different email.
    Subject: PoC
    From: myemail@example.com
    To: mydummyemail@example.com

Note: You might have to add the recipient to an email list, just go there and do so then use that list.

  1. Click Prepare to send, Send immediately and just press continue and send.
  2. Check your dummy email, also check spam for your email, the subject will be the name of the campaign.
  3. Right click the button labelled 'PoC' (or whatever you changed it to) and click copy link. That link will redirect to your desired URL, through the domain.

Comments

I hope this is helpful! I couldnt find a direct way to upload scripts due to the CSP being limited and file upload limitations. I tried messing with the file upload section of the import HTML email design area but I couldn't find where it uploads the files to on the domain? If any of you make progress let me know in the comments.

Have a nice day, and happy bug bounty!