TakeOver
TakeOver
| Room | TakeOver |
|---|---|
| Author | JohnHammond, cmnatic, fumenoid, timtaylor |
| Dificulty | Easy |
Welcome to another blog post where i will be walking you through the Takeover THM challenge. This is a relatively easy room which tests your enumeration skills. From the brief given, we are asked to find out what attackers can takeover. With that said, lets get started.
First, we begin by doing a simple nmap scan to determine what ports are open and services running behind them.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Nmap scan report for 10.10.195.131
Host is up (0.16s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 dd29a70c05691ff6260ad928cd40f020 (RSA)
| 256 cb2ea86d0366e970eb96e1f5ba25cb4e (ECDSA)
|_ 256 50d34ba8a24d1d79e17dacbbff0b2413 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to https://futurevera.thm/
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: FutureVera
| ssl-cert: Subject: commonName=futurevera.thm/organizationName=Futurevera/stateOrProvinceName=Oregon/countryName=US
| Not valid before: 2022-03-13T10:05:19
|_Not valid after: 2023-03-13T10:05:19
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 23 13:07:42 2023 -- 1 IP address (1 host up) scanned in 1225.02 seconds
From the results above, we see that we have 3 ports open. Port 80 redirects to https://futurevera.thm on 443. With that in mind, we need to add the domain to our /etc/hosts file.
Visiting the site, we get this beautiful site with space related shenanigans 😅
Nothing interesting here, so next step is to try enumerate other subdomains. For this we can use tools like Wfuzz or ffuf.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
➜ wfuzz -u http://futurevera.thm -H "Host: FUZZ.futurevera.thm" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 0
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://futurevera.thm/
Total requests: 114441
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000048: 200 1 L 9 W 69 Ch "portal"
000005309: 200 1 L 9 W 70 Ch "payroll"
We now have two sub-domains that we can add to our hosts file. Visiting the subsequent sub-domains, we get a notice that they are only accessible via Internal VPN.
Lets enumerate further, but this time specify https instead of http.
This time we have 2 more sub-domains discovered.
Nothing much really found on the blog and support.
However, if we inspect the SSL Certificate, we get an additional sub-domain on the Subject Alternative Names (SANs)
If we visit the domain, we get the flag as shown below.
Easy Peasy. Thanks for reading through, I hope you learnt a thing or two. Until the next blog post, stay safe and …
Comments powered by Disqus.