> For the complete documentation index, see [llms.txt](https://sec88.0x88.online/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sec88.0x88.online/write-ups/exploring-subdomains-from-enumeration-to-takeover-victory.md).

# Exploring Subdomains: From Enumeration to Takeover Victory

> **In the name of ALLAH the most gracious the most merciful**

So today i will talk about how i got my critical subdomain takeover on ford motors

> *Ford* is a family *company*, one that spans the globe and has shared ideals. We value service to each other and the world as much as to our customers. Generations ...

### Choose target

<figure><img src="/files/1yxw1CDTDbvbnRiZloVG" alt=""><figcaption><p>our target is ford.com domain</p></figcaption></figure>

### Subdomain enumeration

First i collected subdomains using subfalcon

```bash
# Tool link: https://github.com/h0tak88r/subfalcon
go install github.com/h0tak88r/subfalcon/cmd/subfalcon@latest

# Usage
subfalcon -l domains.txt
# Results saved to subfalconResults.txt
```

<figure><img src="/files/QboMMN4RXUVYcEjB7SlC" alt=""><figcaption></figcaption></figure>

### Subdomain Takeover checking

So here i used my another go tool subov88r

```bash
# Tool Link 
https://github.com/h0tak88r/subov88r
# Install
go install github.com/h0tak88r/subov88r@latest
# passing subfalcon results to subov88r
subov88r -f subfalconResults.txt
```

The results was something like

<figure><img src="/files/2c8Pq7hS4SwnBDgHkhtc" alt=""><figcaption></figcaption></figure>

the result that talk my attention was like

```bash
[ www.<subdomain>.ford.com, <subdomain>.trafficmanager.com, NXDOMAIN] Possiply Vulnerable to subdomain takeover vulnerability
```

So i quickly started to look into this subdomain but the `httpx` tool didn't recognize this subdomain as a valid domain

Then i decided to see this subdomain in the browser and as i expected\\

<figure><img src="/files/TP2fAbtN37Com6oHAElF" alt=""><figcaption><p>Message that the subdomain may not be valid</p></figcaption></figure>

Ok let's check can i take over xyz project

<https://github.com/EdOverflow/can-i-take-over-xyz/issues/35>\
Oh no they say that it is not vulnerable

<figure><img src="/files/O9D4C5x2RIDOgoSiv1VG" alt=""><figcaption></figcaption></figure>

Still, I didn't give up. I decided to investigate on my own, and guess what? I found out that there was indeed an issue, and I successfully took control of it. It's always good to double-check! 🛡️🌐

Undeterred, I decided to manually investigate, and voila! Success – I managed to take over the CNAME `<vulnerable>.trafficmanager.com` . Always good to verify! 🛡️🌐

<figure><img src="/files/bPHdIacKu7vpgg3Swpqb" alt=""><figcaption></figcaption></figure>

Then reported the issue with HIGHT severity and the Team changed the severity to Critical and triaged my report\
Update: Issue Resolved !!

<figure><img src="/files/0yCgqZ2ksyJQXGMaKFAh" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sec88.0x88.online/write-ups/exploring-subdomains-from-enumeration-to-takeover-victory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.