Just letting you know we're not ignoring this one - just trying to carve out some time to properly test it.

Sure, take your time. Thanks for the follow up information!

Resolved with #83

i think it doesn't work anymore

Yup agreed with @omaramin17.

Hey,

I just wanted to submit another website: Pantheon.

Reference: https://medium.com/@hussain_0x3c/hostile-subdomain-takeover-using-pantheon-ebf4ab813111

Did you find fix for this?

I just tried it and I confirm it is not possible to takeover. Any other update so far?

I just tried it and I confirm it is not possible to takeover. Any other update so far?

Is it not possible to takeover on pantheon anymore?

I just took over many patheon subdomains.

You need to activate your account using a credit card. I used a virtual credit card and it worked for free.

pantheon is vulneable

Did many takeover this month

@aadityao1 @pdelteil can you please mention the steps in detail.

Sure, I will, just need some time.

@pdelteil update the steps bro

Hello,

Any dork for this?

Hey, I recently found a page with the Pantheon 404 error. I made an account and paid the $50 dollar signup fee. But when I tried to add the vulnerable subdomain, it gave me a “this domain belongs to another organization.” So I cant say for sure if it’s totally impossible to takeover in all situations, but for me it didn’t work and sadly lost money in the process. Thanks for your work!

Sure, I will, just need some time.

Here..

https://pdelteil.medium.com/how-i-took-over-several-stanford-subdomains-also-let-me-explain-you-the-pain-to-report-it-d84b08704be8

I used a virtual credit card with no funds to bypass the payment step.

I can confirm it's possible still to take over Pantheon domains.

Using a virtual credit card I managed to bypass the payment of 50 dollars.

I can confirm it's possible still to take over Pantheon domains.

Using a virtual credit card I managed to bypass the payment of 50 dollars.

It might not be vulnerable anymore.

;
; ANSWER SECTION:
xx.yy.com. 120 IN	CNAME	xx.yy.com.
zz.yy.com. 120	IN	A	23.185.0.3

Is there an up-to-date way to get around the $50 payment?

Reach me over twitter if you need to test a takeover

I think it's not possible to perform this take over anymore.

So, this is a edge case. Since some subdomains are vulnerable, while others are not. I don't know the reason.
Just will just need to try if the take over works.

@pdelteil Although a site using pantheon does not have the word "dev" in its cname, this subdomain adds "dev-" to the beginning when I take over the address. what is the reason of this?

@pdelteil Although a site using pantheon does not have the word "dev" in its cname, this subdomain adds "dev-" to the beginning when I take over the address. what is the reason of this?

I don't really know, that seems to be new on the site.

Is this still possible? I have access to the Basic subscription, however, I'm getting the error:

You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support.

Maybe the company has an enterprise subscription with the domain that causes this error?

Is this still possible? I have access to the Basic subscription, however, I'm getting the error:

You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support.

Maybe the company has an enterprise subscription with the domain that causes this error?

Hello, I haven't tried lately. If you can't add a specific domain doesn't mean you can't add others.

Thanks for the answer @pdelteil , what do you mean with others? Despite of not being able to add vuln.company.com, what would be the purpose of adding not-vuln.company.com. I would really appreciate if you could explain further.

Thanks!

Thanks for the answer @pdelteil , what do you mean with others? Despite of not being able to add vuln.company.com, what would be the purpose of adding not-vuln.company.com. I would really appreciate if you could explain further.

Thanks!

What I meant is, if one domain is not vulnerable doesn't mean other domains are not vulnerable. You just need to try them all.

Guys just dont ask this b*tch for help : @pdelteil He will know the vulnersble domain from you , and try to block you for literally no valid reason !

Reach me over twitter if you need to test a takeover

I won't tolerate abusive and rude behavior. I have helped many researchers, almost all of them were respectful and we agreed on the terms of the collaboration.

You insulting me describes very well your character.

@pdelteil I regret asking for help from you..
All i needed was to confirm whether the domain can be hosted or not (because i dont have pantheon professional account), of which i didnt get the answer ...Instead you asking for program details .?!

Since you know the domain name now, go ahead report it , i dont care now !

@pdelteil what's your Twitter i want to get subdomain checked

@pdelteil what's your Twitter i want to get subdomain checked

Hi, I don't longer have a paid account on Pantheon.

anybody did do a recent takeover on pantheon? and have a subscription?

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

do you have a subscription? if yes, please mention your twitter.

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

do you have a subscription? if yes, please mention your twitter.

yes, i have basic plan i take some of juicy domain out there

anybody did do a recent takeover on pantheon? and have a subscription?

yes, it still vulnerable

do you have a subscription? if yes, please mention your twitter.

yes, i have basic plan i take some of juice domain out there

check your Twitter DM. Thanks.

anybody did do a recent takeover on pantheon?

can someone help me takeover this

can someone help me takeover this

You can reach me over twitter: philippedelteil

Can someone please help me to takeover a subdomain registered to pantheon,
it's in a bug bounty program, but i don't have money, So I want to get private invites at least to start my journey and I won't get it without finding vulnerabilities, can someone please help me to takeover it ?

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

• Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

• Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

is it patched already?

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

• Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

I'm trying to message you but you don't recieve messages, you probably disabled inbox in twitter

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

• Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

is it patched already?

Currently I have been able to verify that depending on the DNS configuration on the server side, the subdomain belonging to the domain "pantheonsite.io" can be acquired, obtaining as a consequence the primary DNS "blog.redacted.com" with "dev-redacted.pantheonsite.io" .
Sometimes certain servers do not reflect the change due to lack of verification or something I miss :/

@yozen188 , I have a valid account for TakeOver in pantheon, if you want a collaboration do not hesitate to write to my twitter @lainchxn

• Currently I have been able to verify that there are different cases where an internal configuration allows the acquisition and reflection of the STO.

I'm trying to message you but you don't recieve messages, you probably disabled inbox in twitter

Sorry for the delay, it's already enabled.

I'm trying to message you but you don't recieve messages, you probably disabled inbox in twitter

Sorry for the delay, it's already enabled.

Still can't message you, You can message me then @Ma3en188

Hi There,

After reading this conversation, I want to understand my vulnerability.

I found a pantheon-takeover vulnerability on my target using nuclei. I tried to exploit it by referring blogs, registering a domain (not sandbox), and purchasing a basic plan subscription. However, I received an error You cannot add the domain XXXXXX as it belongs to another organization. If you believe you've received this message in error, please contact Pantheon support when I entered my victim domain in Domains/HTTPS.

I need some guidance on what I might be doing wrong. Should I upgrade to a professional subscription or create a domain in the sandbox with a basic subscription? or does this vulnerability not work anymore?

@pdelteil will you help? Sent you a DM on twitter.

Reach me over twitter if you need to test a takeover

Hey can you dm me twitter for testing takeover? I can't send a message to you
my twitter id is: waeldevx

Anyone open for collab? I have case to investigate, but I don't have valid pantheon account to test.
Thanks.

Anyone open for collab? I have case to investigate, but I don't have valid pantheon account to test. Thanks.

@hoshigakikisame dm me on Twitter

@proabiral I've sent you a dm.

Looks like Pantheon takeovers are not possible anymore... unless someone finds a "bypass" in the future.

https://status.pantheon.io/incidents/53pq1528p18d

Yeah, I didn't get any luck either in the last case.