GetClouder is cloud hosting service having bug bounty program. In Administration Panel we have some domain management tool for hosting our own domain names. After adding ANY domain - zone is configured on two DNS servers: nimbus.getclouder.com and cumulus.getclouder.com - even if we are not owner of the domain.
If you get NS records for getclouder.com domain, you'll see that it's hosted on same servers:
zoczus@hell:~$ host -t ns getclouder.com getclouder.com name server nimbus.getclouder.com. getclouder.com name server cumulus.getclouder.com.
So my first try was trying to add getclouder.com domain - of course it failed. ;)
Then - I tried to search if GetClouder have any other interesting domains. Here's what I found:
In short - yes, they have other domains. One of interesting - clouder.us or getclouder.info are hosted on ns1.clev1.net and ns2.clev1.net. Now - just check the IP addresses of this servers:
zoczus@hell:~$ host ns1.clev1.net
ns1.clev1.net has address 18.104.22.168
zoczus@hell:~$ host ns2.clev1.net
ns2.clev1.net has address 22.214.171.124
zoczus@hell:~$ host nimbus.getclouder.com
nimbus.getclouder.com has address 126.96.36.199
zoczus@hell:~$ host cumulus.getclouder.com
cumulus.getclouder.com has address 188.8.131.52
So we have few other possibilities to check. I tried to add clev1.net, it failed - but adding ns1.clev1.net - not. :) Win?
Yup - it was deffinetly win.
zoczus@hell:~$ host wow.ns1.clev1.net
wow.ns1.clev1.net has address 184.108.40.206
zoczus@hell:~$ dig +trace ns1.clev1.net
; <<>> DiG 9.8.3-P1 <<>> +trace ns1.clev1.net
;; global options: +cmd
;; Received 241 bytes from 220.127.116.11#53(18.104.22.168) in 122 ms
;; Received 488 bytes from 22.214.171.124#53(126.96.36.199) in 132 ms
;; Received 95 bytes from 188.8.131.52#53(184.108.40.206) in 167 ms
;; Received 152 bytes from 220.127.116.11#53(18.104.22.168) in 174 ms
We have full control of ns1.clev1.net - so everyone asking for - let's say - clouder.us will got response about it's hosted on ns1.clev1.net (and ns2.clev1.net) which points to IP addresses controled by us.
The second vulnerability was ability to add root-servers.net zone.
After adding just 3 root servers (a,b,c), pointing it to IP with DNSChef on board, and waiting few minutes this is what I got:
As GetClouder told me - it was result of one tool for checking if customer's domains are still pointed to its nameservers.
I want to thank GetClouder security team for realy fast responses and the way how they did treat me as researcher. That was one of my best bounty experiences :)