TryHackMe | TakeOver Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “TakeOver” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
Contents:
-Subdomain
-Subdomain Enumeration
-SSL Certificate
Subject
Hello there,
I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.
Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.
Our website is located at “https://futurevera.thm”.
Hint: Don’t forget to add the MACHINE_IP in “/etc/hosts” for “futurevera.thm”.
Deploy the machine
Connect to TryHackMe network and deploy the machine.
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Important Information
There are three main terms we need to know before we start the solution.
What is “Subdomain”?
In the Domain Name System (DNS) hierarchy, a subdomain is a domain that is a part of another (main) domain. For example, if a domain offered an online store as part of their website “example.com”, it might use the subdomain “shop.example.com”.
What is “Subdomain Enumeration”?
Subdomain enumeration is the process of identifying all subdomains for a given domain. This can be useful for a variety of purposes, such as identifying potential targets for an attack, or simply for organizational purposes.
What is “SSL Certificate”?
An SSL certificate is a digital certificate that authenticates a website’s identity and enables an encrypted connection. SSL stands for “Secure Sockets Layer”, a security protocol that creates an encrypted link between a web server and a web browser.
Solution
Answer the questions below
Question Hint: This is an enumeration challenge, once you will find it, it will straight up give you the flag.
Q1: What’s the value of the flag?
A1: Answer format: ****{********************************}
According to the hint provided, in order to access the website, we must save the IP address and domain name information in the “hosts” file located in the “etc” directory.
The /etc/hosts file in Linux or any other operating system is used to map connections between IP addresses and domain names.
Click the “Accept the Risk and Continue” button and keep going!
Do you believe we can change the world? Forget it, we’ll talk about this at a later time.
The first step is to identify the subdomains. To accomplish subdomain enumeration, we can utilize a variety of tools. You can take a look at some of the tools by clicking the link below. Today we will use the tool called “ffuf”. So what is ffuf?
As the name describes, FFuF (Fuzz Faster u Fool) is a fast web fuzzing tool created in Go. To understand the program we first need to understand what fuzzing is. Fuzzing is the automated process of sending random data to an application to find misconfigurations, unexpected behavior, or hidden parameters.
ffuf -w SecLists/Discovery/Web-Content/common.txt -H "Host: FUZZ.futurevera.thm" -u https://10.10.140.236-w : Wordlist file path
-H : Header “Name: Value”, separated by colon (To find subdomains without DNS records)
-u : Target URL
For the wordlist:
ffuf -w SecLists/Discovery/Web-Content/common.txt -H "Host: FUZZ.futurevera.thm" -u https://10.10.140.236 -fs 4605 -c-w : Wordlist file path
-H : Header “Name: Value”, separated by colon (To find subdomains without DNS records)
-u : Target URL
-fs : Filter HTTP response size (To filter based on size of response)
-c : Colorize output
We can access to the relevant websites by adding the subdomains “blog” and “support” to the hosts file.
Click the “Accept the Risk and Continue” button and go on!
It appears to be a standard blog page. Let’s move on to the next!
It’s always the same thing… Click the “Accept the Risk and Continue” button.
I guess there is a renovation work on the website.
Up to this point, I continued by examining the page source and certificate information, but I couldn’t find anything interesting.
However, while reviewing the certificate details for the website “support.futurevera.thm” I discovered something intriguing.
To examine the certificate information, click the “View Certificate” button.
If you have noticed, there is a different subdomain information in the “DNS Name” section. The word “secret” has always piqued my interest.
Let’s add the subdomain we discovered to the “hosts” file and see what happens!
Finally, it’s here!
Congratulations! You found the flag.
Note: Never forget to review the “page source” and “certificates”, although sometimes it contains no useful information.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://en.wikipedia.org/wiki/Subdomain
https://www.ceeyu.io/resources/blog/subdomain-enumeration-tools-and-techniques
https://www.kaspersky.com/resource-center/definitions/what-is-a-ssl-certificate
https://linuxhandbook.com/etc-hosts-file
https://blog.intigriti.com/2021/05/03/hacker-tools-ffuf-fuzz-faster-u-fool-2
https://www.kali.org/tools/ffuf
https://allabouttesting.org/top-25-example-usage-of-ffuf-web-fuzzer
