Writeups

TakeOver - TryHackMe

CTF Writeup for TakeOver from TryHackMe

nosam213

2 min read
TakeOver - TryHackMe
Photo by Pat Whelen / Unsplash

This CTF is based on careful subdomain enumeration.

First off with the nmap scan. We find 22/tcp[SSH], 80/tcp[HTTP], and 443/tcp[HTTPS]. Its a Linux host.

When navigating to the given host domain 'futurevera[.]thm', we find a landing page.

futurevera[.]thm landing page.

After enumerating (directories / walking) for short while we find this page has no help for us; we can move onto enumerating subdomains.

user$ gobuster vhost -w subdomains -u http://futurevera.thm
HTTP VHOST enumeration.
HTTP VHOST enumeration results.
user$ gobuster vhost -w subdomains -u https://futurevera.thm -k
HTTPS VHOST enumeration ( -k to ignore TLS errors ).
HTTPS VHOST enumeration results.

We have two different results for the HTTP/HTTPS VHOST enumeration, we will start with checking the HTTP subdomains.

portal[.]futurevera[.]thm HTTP page.
payroll[.]futurevera[.]thm HTTP page.

In these two results of their HTTP pages, after enumeration there is nothing of sustenance; when checking their HTTPS counterpart, it gives back original site.

Now to check the HTTPS subdomains.

blog[.]futurevera[.]thm HTTPS page.
support[.]futurevera[.]thm HTTPS page.

When enumerating these two subdomains we don't find anything in their contents, mostly Space Ipsum (Lorem Ipsum Space Version). We can check their SSL/TLS certs for any additional information.

The blog page's cert had nothing of interest, but support's did.

support[.]futurevera[.]thm cert information.

When we navigate to this hidden subdomain, we find our flag.

********************[.]support[.]futurevera[.]thm HTTP raw.

This CTF is a very good teaching of why to do careful enumeration.

That's all :) .