In this article, we will know about the steps to takeover subdomains which pointing to expired or not registered Gemfury service as I see that no one has written about this before.
What is Gemfury?
Gemfury is a hosted repository for public and private packages.
The beginning …
While testing subdomains of a private target @ Hackerone (let’s make it marshmello.io), I found one of there subdomain “repo.marshmello.io” redirect me to https://gemfury.com/404
When I see it, I dig it and I found it pointed to “repo.marshmello.io.furyns.com”.
The first thing I do when I find any subdomain may be vulnerable to subdomain takeover, I’m going to the great repository Can I takeover XYZ to see if there is any issue about my case, But my bad I didn’t find anything and after searching abut any writeup, I didn’t find any writeup talking about this issue.
I told my self, let’s register and see the document of this service and gotcha, It’s a free service and so easy to takeover its expired subdomain.
Steps to reproduce
- Go to https://gemfury.com/ and create new account
- Go to Settings > Domains (https://manage.fury.io/manage/$YOUR_USERNAME/domains)
- You will see the add custom domain field, Just type the subdomain and click Add
- Go to the subdomain now and Gotcha 😀 it has been successfully taken.
See you later 😉