Can I escalate a main domain SSTI/RCE to all the subdomains belonging to that domain?

Question

I'm a newbie ethical hacker and bug bounty hunter. Lets, assume my target is somethingtohack.com, the thing is the company's scope defines that the main domain is out of scope, but subdomains like subdomain.somethingtohack.com are in scope, and while hunting I've discovered an SSTI which is leading to RCE in the main domain, but the domain is out of scope, forgive me for asking but I'm new to this, my common sense is telling me that the root domain RCE can be taken into all the subdomains because that's how the priviledge should work, because if the owner wants to run some code in all his subdomains it's very dumb to put that code everywhere on every subdomains, what should be more smart is let the main domain the code and somehow it runs on all the subdomains.

I've tried to find resources for this all over the internet, but couldn't find any.

So, the main question is, if i can run code on the main domain, is it anyway possible to do that for it's subdomains as well? And, if yes, how can I do that.

Thanks, this is a great community, hoping to learn something new from this question and fellow hackers.

Please, help me on this.

Happy hacking!!!

Answer 1

I'm no hacker, but I did my OSCP, so I know some bits here and there. I would say that in general, the answer is "Not necessarily", as it depends on the implementation & configuration of said resource.

As you should know, "subdomains" means that the IP addresses assigned to these subdomains may be different (although it's not mandatory). Imagine an fictional "mastercard.com" website that has the subdomain "us.mastercard.com" for US, "ru.mastercard.com" for Russia, "ae.mastercard.com" for UAE and so on. Each and every of these subdomains might be having a different IP address, different infrastructure (OS / web server), and even different technological stack (one domain might have content which is dynamically generated by PHP, and another may have static HTML content). This is actually quite a common case, especially for huge international corporations or franchise businesses, when different countries / business branches are acting independently on their own behalf.

On the other side, subdomain can be hosted on the same web server, maintained by the same team, and developed using the same code base as the top-level domain. This is also something that is quite widespread.

Of course, it is absolutely clear that in the first case you will not be able to reproduce your exploit on the subdomain, while in the second one you might stand a big chance doing so.

Unfortunately, your question lacks important details to address your situation in particular. So, I suggest you start from determining whether your subdomains are actually hosted on the same infrastructure, and using the same technological stack (if you're lucky, some fingerprinting techniques will help you here). If all looks different - your chances are really slim. If everything is the same - then you should try to exploit again and again and again, researching and adapting your attempts, as in any pentest. And if you discover that all the subdomains point towards the same server and same port as the main website - then most probably they are served by one server, and executing command on it (which you can do already) might be accepted as finding (just prove that you can view / modify the information related to the subdomains in scope). There are some legal risks here, probably, that require attention - but if the company is running bug bounty program, I would expect they have at least some common sense.