Gemfury Subdomain takeover

Hi Guys,

In this article, we will know about the steps to takeover subdomains which pointing to expired or not registered Gemfury service as I see that no one has written about this before.

What is Gemfury?

Gemfury is a hosted repository for public and private packages.

The beginning …

While testing subdomains of a private target @ Hackerone (let’s make it marshmello.io), I found one of there subdomain “repo.marshmello.io” redirect me to https://gemfury.com/404

When I see it, I dig it and I found it pointed to “repo.marshmello.io.furyns.com”.

The first thing I do when I find any subdomain may be vulnerable to subdomain takeover, I’m going to the great repository Can I takeover XYZ to see if there is any issue about my case, But my bad I didn’t find anything and after searching abut any writeup, I didn’t find any writeup talking about this issue.

I told my self, let’s register and see the document of this service and gotcha, It’s a free service and so easy to takeover its expired subdomain.

Steps to reproduce

  1. Go to https://gemfury.com/ and create new account
  2. Go to Settings > Domains (https://manage.fury.io/manage/$YOUR_USERNAME/domains)
  3. You will see the add custom domain field, Just type the subdomain and click Add
  4. Go to the subdomain now and Gotcha 😀 it has been successfully taken.

See you later 😉

Thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s