Getresponse.com vulnerable to subdomain takeover

[darkpills]

Service name

GetResponse - https://www.getresponse.com/

Vulnerable domain which can be takeover

Fingerprint: "Cette landing page n'est plus disponible" (FR)

Steps to takeover

1. Register an account on https://www.getresponse.com/
2. Create a new domain : My Account > Manage account > Landing page domain > Add domain: declare the victim subdomain to takeover: sub.victim.com
3. Do a "dig sub.victim.com" to get the CNAME. There should be a CNAME for any of the getresponse tool domains: gr8.com, subscribemenow.com, getresponsepages.com
4. Create a new landing page that will be displayed. In the Edit settings > landging page url settings > put the subdomain you saw previously like: test.gr8.com to make your landing page response to the sub.victim.com

[TheElgo64]

Hmmm, not vulnerable now.
30/12/2021

[darkpills]

I remember I could not make the association between the vulnerable domain with the admin interface, I had to open a ticket to the support to make them associate the domain even if it is not associated with any customer.

[GDATTACKER-RESEARCHER]

working i have tested

[lovepentest]

Not working now

[VictimV59]

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

[GDATTACKER-RESEARCHER]

is this still vulnerable? it's showing me that the victim subdomain is used in another account so that i can't register that and connect that here, but I'm unaware of how do they verify, no txt record or other verifications are done by them.

So, is this still vulnerable in any other way? and if not, how are they verifying that the victim subdomain doesn't belong to the attacker? is there a bypass to that?

looking forward to hearing from someone who has knowledge on this, also @lovepentest what did you see when you tested this, can you share that with us?

Thanks, happy hacking!

It simply means it's already claimed by org or someone but the default page is not changed.

[VictimV59]

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

[GDATTACKER-RESEARCHER]

Do you mean, this service is still vulnerable if not claimed? But, in my case one party has claimed it already, they just haven't changed the landing page right?

Thanks, in advance for explaining @GDATTACKER-RESEARCHER 😄

Yes

[VictimV59]

Thanks for explaining😄

[ceylanb]

Just took over several targets. Still vulnerable if you see the following page, and the domain was not already claimed. By the way, NS records must be coco.gr-ns.com and kiki.gr-ns.com.