Beyond Takeover AWS Bucket

Na_stark

~3 min read · January 26, 2026 (Updated: January 27, 2026) · Free: Yes

اللَّهُمَّ انْفَعْنِي بِمَا عَلَّمْتَنِي، وَعَلِّمْنِي مَا يَنْفَعُنِي، وَزِدْنِي عِلْمًا

New article one of the interesting findings.

One of coolest finding I covered Beyond AWS s3 bucket.

Nowadays find S3 Bucket is something impossible but let's think out the box Amazon is Hosting provider for domains service Right What if Its not the only Hosting provider that Vulnerable to Takeover.

So I Search to find every Hosting provider possible like Amazon AWS,After search grep the all provider and try every Hosting provider to see if its vulnerable or not.

After a long Nights I find another Hosting providers are vulnerable I was able to Takeover the domain across the Provider, So I bring my Bash skills build a Tool That bring me the Hosing provider of the domains and only the Hosting Provider vulnerable.

Steps:

1-I go to scope grap the main domain then put it in the bash tool after bring me the vulnerable domain.

I will publish the Tool in Github Soon But here it:

#!/bin/bash


TARGETS=(
    "example"
    "example"
    "example"
)

get_subdomains() {
    domain=$1

    response=$(curl -s -X GET "https://$$$$$$$$/v1/domain/$domain/subdomains?children_only=false" \
        -H "accept: application/json" \
        -H "apikey: $API_KEY")

    echo "$response" | jq -r --arg domain "$domain" '.subdomains[] + "." + $domain'
}

check_cname() {
    subdomain=$1
    cname=$(dig +short CNAME "$subdomain" | tr 'A-Z' 'a-z')

    if [[ -z "$cname" ]]; then
        return
    fi

    for service in "${TARGETS[@]}"; do
        if [[ "$cname" == *"$service"* ]]; then
            echo -e "$subdomain -> \e[31m$cname\e[0m"
        fi
    done
}

main() {
    read -p "Enter Domain name: " domain

    get_subdomains "$domain" | while read -r sub; do
        check_cname "$sub"
    done
}

main

2- I go to the Hosting provider to see if I am able to Take over the domain and Volaa once I claim the domain report it to them and the team was so respectful

Right Now i Think i am able to Bypass the fix of that by a Trick i will report it to them and update the writeup once their something to share.

I hope to enjoy reading thinking outside the box Never fails.

See you in another writeups.

#HackerOne #BugBounty #Tips #Hacking #BugCrowd

#hacking #hackerone #bug-bounty #bugs #bugcrowd

Beyond Takeover AWS Bucket

Reporting a Problem