Takeover
TryHackme Takeover writeup by Thamizhiniyan C S
Overview
Greetings everyone,
In this write-up, we will tackle PC from TryHackMe.
Machine link: Takeover
Difficulty Level: Easy
Let's Begin 🙌
Firstly, connect to the THM server using the OpenVPN configuration file generated by THM. Click Here to learn more about how to connect to VPN and access the boxes.
Once connected to the VPN service, click on "Start Machine" to access the machine's IP.
Upon joining the machine, you will be able to view the IP address of the target machine.
Reconnaissance
Rustscan
rustscan -a 10.10.89.215

Results
The Target machine has three services running:
22
SSH
80
HTTP
443
HTTPS
Information Gathering - futurevera.thm
Add the Machines’s IP address to /etc/hosts
file in your attack box with reference to futurevera.thm
and save it.

Now lets check the HTTP website running on port 80. It was a simple landing page. Nothing interesting found.

Enumeration - futurevera.thm
Next I started enumeration. I tried directory enumeration, but didn’t get anything.
Subdomain Enumeration
So next I tried subdomain enumeration on the target.
I used ffuf
for this task.
ffuf -u [http://futurevera.thm/](http://futurevera.thm/) -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm"

The result had a lots of 302
response. So this time I filtered out all the response with a status code 302
and ran the command again.
ffuf -u http://<target_ip>/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm" -fc 302

And this time found two subdomains. Now make sure to add these subdomains to the /etc/hosts
file. You have to append the subdomains with the full url [ Eg: portal.futurevera.thm
] to the previously add host separated by a space:

Now I checked the portal.futurevera.thm
subdomain.

It wasn’t accessible. So next I checked payroll.futurevera.thm
subdomain.

That was also not accessible.
Now we can check the HTTPS website:

It resulted in the same landing page.
Next run ffuf
on the HTTPS service to find the subdomains running via HTTPS.
ffuf -u https://<target_ip>/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm" -fc 302

Since all the request has a response with a status code of 200, our filter for code 302 didn’t work. So this time I tried to filter using size, since all the response sizes are 4605
.
ffuf -u https://<target_ip>/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-20000.txt -H "HOST:FUZZ.futurevera.thm" -fs 4605

And found two new subdomains. Now append these subdomains to the /etc/hosts
file.

Navigate to https://blog.futurevera.thm/
.

Nothing serious found in this website.
Next I checked the https://support.futurevera.thm/

It has also nothing.
Getting the Flag
So next I started to look for the certificates in all of the above subdomains.
You can view the certificate of a website as shown in the video below:
First I checked the certificate of blog.futurevera.thm
. Didn’t found anything interesting.
Next I checked the certificate of support.futurevera.thm
.

We can see that the value of DNS Name
property is referring to secrethelpdesk934752.support.futurevera.thm
.
Now append this domain to the /etc/hosts
file.

If we navigate to secrethelpdesk934752.support.futurevera.thm
, we can see a server not found error.

But if you take a look at the error, you can see the server url, which contains the flag.
We have successfully found the flag.
Thank You …..
Last updated
Was this helpful?