Adding Pantheon

[0x00xx]

Hey,

I just wanted to submit another website: Pantheon.

Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

[codingo]

Just letting you know we're not ignoring this one - just trying to carve out some time to properly test it.

[0x00xx]

Sure, take your time. Thanks for the follow up information!

[codingo]

Resolved with #83

[omaramin17]

i think it doesn't work anymore

[agrawalsmart7]

Yup agreed with @omaramin17.

[aadityao1]

Hey,

I just wanted to submit another website: Pantheon.

Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

Did you find fix for this?

[cyberblackhole]

I just tried it and I confirm it is not possible to takeover. Any other update so far?

[wae23123wq]

I just tried it and I confirm it is not possible to takeover. Any other update so far?

Is it not possible to takeover on pantheon anymore?

[pdelteil]

I just took over many patheon subdomains.

You need to activate your account using a credit card. I used a virtual credit card and it worked for free.

[aadityao1]

pantheon is vulneable

Did many takeover this month

[cyberblackhole]

@aadityao1 @pdelteil can you please mention the steps in detail.

[pdelteil]

Sure, I will, just need some time.

[rockybhai0516]

@pdelteil update the steps bro

[united36]

Hello,

Any dork for this?

[spencer5cent]

Hey, I recently found a page with the Pantheon 404 error. I made an account and paid the $50 dollar signup fee. But when I tried to add the vulnerable subdomain, it gave me a “this domain belongs to another organization.” So I cant say for sure if it’s totally impossible to takeover in all situations, but for me it didn’t work and sadly lost money in the process. Thanks for your work!

[pdelteil]

Sure, I will, just need some time.

Here..

https://pdelteil.medium.com/how-i-took-over-several-stanford-subdomains-also-let-me-explain-you-the-pain-to-report-it-d84b08704be8

I used a virtual credit card with no funds to bypass the payment step.

[pdelteil]

I can confirm it's possible still to take over Pantheon domains.

Using a virtual credit card I managed to bypass the payment of 50 dollars.

[pdelteil]

I can confirm it's possible still to take over Pantheon domains.

Using a virtual credit card I managed to bypass the payment of 50 dollars.

It might not be vulnerable anymore.

;
; ANSWER SECTION:
xx.yy.com. 120 IN	CNAME	xx.yy.com.
zz.yy.com. 120	IN	A	23.185.0.3

[Dum7c]

Is there an up-to-date way to get around the $50 payment?

[pdelteil]

Reach me over twitter if you need to test a takeover

[pdelteil]

I think it's not possible to perform this take over anymore.

[pdelteil]

So, this is a edge case. Since some subdomains are vulnerable, while others are not. I don't know the reason.
Just will just need to try if the take over works.

[Phoenix1112]

@pdelteil Although a site using pantheon does not have the word "dev" in its cname, this subdomain adds "dev-" to the beginning when I take over the address. what is the reason of this?

[pdelteil]

@pdelteil Although a site using pantheon does not have the word "dev" in its cname, this subdomain adds "dev-" to the beginning when I take over the address. what is the reason of this?

I don't really know, that seems to be new on the site.

[niemand-sec]

Is this still possible? I have access to the Basic subscription, however, I'm getting the error:

You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support.

Maybe the company has an enterprise subscription with the domain that causes this error?

[pdelteil]

Is this still possible? I have access to the Basic subscription, however, I'm getting the error:

You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support.

Maybe the company has an enterprise subscription with the domain that causes this error?

Hello, I haven't tried lately. If you can't add a specific domain doesn't mean you can't add others.

[niemand-sec]

Thanks for the answer @pdelteil , what do you mean with others? Despite of not being able to add vuln.company.com, what would be the purpose of adding not-vuln.company.com. I would really appreciate if you could explain further.

Thanks!

[pdelteil]

Thanks for the answer @pdelteil , what do you mean with others? Despite of not being able to add vuln.company.com, what would be the purpose of adding not-vuln.company.com. I would really appreciate if you could explain further.

Thanks!

Want I meant is, if one domain is not vulnerable doesn't mean other domains are not vulnerable. You just need to try them all.

[pdelteil]

Guys just dont ask this b*tch for help : @pdelteil He will know the vulnersble domain from you , and try to block you for literally no valid reason !

Reach me over twitter if you need to test a takeover

I won't tolerate abusive and rude behavior. I have helped many researchers, almost all of them were respectful and we agreed on the terms of the collaboration.

You insulting me describes very well your character.

[Abdullah-4fg]

@pdelteil I regret asking for help from you..
All i needed was to confirm whether the domain can be hosted or not (because i dont have pantheon professional account), of which i didnt get the answer ...Instead you asking for program details .?!

Since you know the domain name now, go ahead report it , i dont care now !

[vansh1]

@pdelteil what's your Twitter i want to get subdomain checked

[pdelteil]

@pdelteil what's your Twitter i want to get subdomain checked

Hi, I don't longer have a paid account on Pantheon.