TryHackMe - TakeOver

TakeOver

This challenge revolves around subdomain enumeration.

Title	TakeOver
Description	This challenge revolves around subdomain enumeration.
Points	30
Difficulty	Easy
Maker	JohnHammond, cmnatic, fumenoid, timtaylor

Summary

TakeOver: Bricks Heist, in this machine we enumerate for subdomains using different tools, debug errors until we find the juicy one that leads to the flag directly.

Description

Hello there,

I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.

Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.

Our website is located at https://futurevera.thm

Hint: Don’t forget to add the MACHINE_IP in /etc/hosts for futurevera.thm

Enumeration

We already what we are looking for in this room, so we focus on the website and enumerate subdomains.I found two!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(chida㉿kali)-[~/sus/oo]
└─$ ffuf -u https://10.10.247.124/ -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H 'Host: FUZZ.futurevera.thm' -fs 4605

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : https://10.10.247.124/
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.futurevera.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 4605
________________________________________________

blog                    [Status: 200, Size: 3838, Words: 1326, Lines: 81, Duration: 78ms]
support                 [Status: 200, Size: 1522, Words: 367, Lines: 34, Duration: 117ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

we add them to /etc/hosts and navigate to them, nothing spcial at a first glance, but the certificate for support has another subdomain :

subdomain

we add this entery to our /etc/hosts file and we navigate to it again :

and that’s our flag.