TakeOver - Write-up - TryHackMe

Information

Room#

  • Name: TakeOver
  • Profile: tryhackme.com
  • Difficulty: Easy
  • Description: This challenge revolves around subdomain enumeration.

TakeOver

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1
$ sudo pacman -S nmap ffuf

Preparation#

Put the custom domain in your hosts file.

1
2
$ grep futurevera.thm /etc/hosts
10.10.48.46 futurevera.thm

Sub-domain enumeration#

As you can learn in my ffuf room (Task 6 - Finding vhosts and subdomains), it's possible to use ffuf to enumerate sub-domains.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
âžś ffuf -u https://10.10.48.46 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.futurevera.thm' -fs 4605

/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

v2.0.0-dev
________________________________________________

:: Method : GET
:: URL : https://10.10.48.46
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.futurevera.thm
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 4605
________________________________________________

[Status: 200, Size: 1522, Words: 367, Lines: 34, Duration: 28ms]
* FUZZ: support

[Status: 200, Size: 3838, Words: 1326, Lines: 81, Duration: 28ms]
* FUZZ: blog

:: Progress: [4989/4989] :: Job [1/1] :: 873 req/sec :: Duration: [0:00:08] :: Errors: 0 :

Two sub-domains are identified: support and blog.

Now we can add them in the hosts file.

1
2
$ grep futurevera.thm /etc/hosts
10.10.48.46 futurevera.thm support.futurevera.thm blog.futurevera.thm

Cert viewing#

The command to view remote SSL/TLS certification with OpenSSL is a bit overcomplicated and we don't need all the details but just to fetch the Alternative name where there can be potential subdomains. We can use the ssl-cert script of nmap to do that:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
âžś nmap -p 443 --script ssl-cert blog.futurevera.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 19:56 CEST
Nmap scan report for blog.futurevera.thm (10.10.48.46)
Host is up (0.027s latency).
rDNS record for 10.10.48.46: futurevera.thm

PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=blog.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US
| Issuer: commonName=blog.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-13T10:22:57
| Not valid after: 2023-03-13T10:22:57
| MD5: 8df0656c3814dd46c6ed5371e007d0e9
|_SHA-1: 6641a3bdc9f787f0bc84171abce4897b3711d28e

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

âžś nmap -p 443 --script ssl-cert support.futurevera.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-15 19:58 CEST
Nmap scan report for support.futurevera.thm (10.10.48.46)
Host is up (0.027s latency).
rDNS record for 10.10.48.46: futurevera.thm

PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=support.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US
| Subject Alternative Name: DNS:secrethelpdesk934752.support.futurevera.thm
| Issuer: commonName=support.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-13T14:26:24
| Not valid after: 2024-03-12T14:26:24
| MD5: aef3dd042e6ae9196b68ac30c2d1177a
|_SHA-1: d62ec5cadbe8c933359faa67f0adf6e7e4fee395

Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds

So in support.futurevera.thm certificate, there is a secret alt name: secrethelpdesk934752.support.futurevera.thm.

Again, we should add it to our hosts file.

1
2
$ grep futurevera.thm /etc/hosts
10.10.48.46 futurevera.thm support.futurevera.thm blog.futurevera.thm secrethelpdesk934752.support.futurevera.thm

Grab the flag#

Going to the secret domain, we are redirected to the flag.

1
2
3
4
5
6
$ curl http://secrethelpdesk934752.support.futurevera.thm -I 
HTTP/1.1 302 Found
Date: Sat, 15 Apr 2023 18:03:13 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://flag{edited}.s3-website-us-west-3.amazonaws.com/
Content-Type: text/html; charset=UTF-8
Share