Adding Pantheon #24
Comments
|
Just letting you know we're not ignoring this one - just trying to carve out some time to properly test it. |
|
Sure, take your time. Thanks for the follow up information! |
EdOverflow
added
the
vulnerable
|
Resolved with #83 |
|
i think it doesn't work anymore |
|
Yup agreed with @omaramin17. |
Did you find fix for this? |
|
I just tried it and I confirm it is not possible to takeover. Any other update so far? |
Is it not possible to takeover on pantheon anymore? |
|
I just took over many patheon subdomains. You need to activate your account using a credit card. I used a virtual credit card and it worked for free. |
|
pantheon is vulneable Did many takeover this month |
|
@aadityao1 @pdelteil can you please mention the steps in detail. |
|
Sure, I will, just need some time. |
|
@pdelteil update the steps bro |
|
Hello, Any dork for this? |
|
Hey, I recently found a page with the Pantheon 404 error. I made an account and paid the $50 dollar signup fee. But when I tried to add the vulnerable subdomain, it gave me a “this domain belongs to another organization.” So I cant say for sure if it’s totally impossible to takeover in all situations, but for me it didn’t work and sadly lost money in the process. Thanks for your work! |
Here.. I used a virtual credit card with no funds to bypass the payment step. |
|
I can confirm it's possible still to take over Pantheon domains. Using a virtual credit card I managed to bypass the payment of 50 dollars. |
It might not be vulnerable anymore.
|
|
Is there an up-to-date way to get around the $50 payment? |
|
Reach me over twitter if you need to test a takeover |
|
I think it's not possible to perform this take over anymore.
|
|
So, this is a edge case. Since some subdomains are vulnerable, while others are not. I don't know the reason. |
|
@pdelteil Although a site using pantheon does not have the word "dev" in its cname, this subdomain adds "dev-" to the beginning when I take over the address. what is the reason of this? |
I don't really know, that seems to be new on the site. |
|
Is this still possible? I have access to the Basic subscription, however, I'm getting the error: Maybe the company has an enterprise subscription with the domain that causes this error? |
Hello, I haven't tried lately. If you can't add a specific domain doesn't mean you can't add others. |
|
Thanks for the answer @pdelteil , what do you mean with others? Despite of not being able to add Thanks! |
What I meant is, if one domain is not vulnerable doesn't mean other domains are not vulnerable. You just need to try them all. |
I won't tolerate abusive and rude behavior. I have helped many researchers, almost all of them were respectful and we agreed on the terms of the collaboration. You insulting me describes very well your character. |
|
@pdelteil I regret asking for help from you.. Since you know the domain name now, go ahead report it , i dont care now ! |
|
@pdelteil what's your Twitter i want to get subdomain checked |
Hi, I don't longer have a paid account on Pantheon. |
|
anybody did do a recent takeover on pantheon? and have a subscription? |
yes, it still vulnerable |
do you have a subscription? if yes, please mention your twitter. |
yes, i have basic plan i take some of juicy domain out there
|
check your Twitter DM. Thanks. |
|
anybody did do a recent takeover on pantheon? |
|
can someone help me takeover this |
You can reach me over twitter: philippedelteil |
|
Can someone please help me to takeover a subdomain registered to pantheon, |
|
@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn
|
is it patched already? |
I'm trying to message you but you don't recieve messages, you probably disabled inbox in twitter |
Currently I have been able to verify that depending on the DNS configuration on the server side, the subdomain belonging to the domain "pantheonsite.io" can be acquired, obtaining as a consequence the primary DNS "blog.redacted.com" with "dev-redacted.pantheonsite.io" .
Sorry for the delay, it's already enabled. |
Still can't message you, You can message me then @Ma3en188 |
|
Hi There, After reading this conversation, I want to understand my vulnerability. I found a pantheon-takeover vulnerability on my target using nuclei. I tried to exploit it by referring blogs, registering a domain (not sandbox), and purchasing a basic plan subscription. However, I received an error You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support when I entered my victim domain in Domains/HTTPS. I need some guidance on what I might be doing wrong. Should I upgrade to a professional subscription or create a domain in the sandbox with a basic subscription? or does this vulnerability not work anymore? @pdelteil will you help? Sent you a DM on twitter. |
Hey can you dm me twitter for testing takeover? I can't send a message to you |
|
Anyone open for collab? I have case to investigate, but I don't have valid pantheon account to test. |
@hoshigakikisame dm me on Twitter |
|
@proabiral I've sent you a dm. |
|
Looks like Pantheon takeovers are not possible anymore... unless someone finds a "bypass" in the future. |
|
Yeah, I didn't get any luck either in the last case. |
and others
Hey,
I just wanted to submit another website: Pantheon.
Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111
The text was updated successfully, but these errors were encountered: