Hello

The title might have been clickbait but it is not. I started from recon and discovered as many subdomains as possible of the target.com company. Then I used dnsx tool to check all  NXDOMAINS which have CNAME records. Among them I found the subdomain pointing to cloudapp.azure.com domain, which looked like this:

dev.target.com 600 IN CNAME devexamplename.eastus.cloudapp.azure.com.

I logged into the MS Azure portal and created the virtual machine service, then entered devexamplename as the name of virtual machine and selected the East US region… and the green tick has appeared :), pointing that I probably can takeover this domain. The best part is the company clearly stated in bug bounty policy: “If you find subdomain takeover, DO NOT take over it, just send us the proof”.

So I took the screenshot of the Azure panel, sent the report and cashed out $150.

See you next bug 🙂