Hey guys, myself Dheeraj and this blog is a simple writeup about the newly released tryhackme lab, “Takeover”.
Room link - https://tryhackme.com/room/takeover
Room type - Free
Complexity Level - Medium
About the room -
I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.
Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.
Our website is located at https://futurevera.thm
Hint: Don't forget to add the 10.10.102.128 in /etc/hosts for futurevera.thm ; )
If you just directly try to open the website by typing futurevera.thm in your browser either via attack box or via connect vpn, it won’t open.
Because the website is not hosted on the internet, so you can’t access it just like the way we access other websites, and your os doesn’t not what the IP behind that domain is. So, what to do to access futurevera.thm?
You need to tell your os that whenever you try to open futurevera.thm, it should redirect you to the machine IP address which you have got by starting the machine in that room.
How to do that in practice:
echo "Machine_ip futurevera.thm" | sudo tee -a /etc/hosts
Give the above command to your Linux while replacing the machine_ip with IP you have got in that room.
Note - please be connected to the OpenVPN or solve this room by using the attack box.
As of now, you can see that you can open the website by typing https://futurevera.thm/ in your browser but you will get a warning prompt, click on advance and accept the risk.
Try your techniques to find what can be the potential loopholes for a takeover.
As the room description says that they write blogs on the website and the support page was in development, so we need to explore these two pages. We can’t access them directly, so we need to add them in /etc/hosts just like we did in the beginning.
echo "10.10.102.128 blog.futurevera.thm support.futurevera.thm >> /etc/hosts
Now analyze both these subdomains, and try to find the flag.
While opening the support.futurevera.thm, we get a warning prompt and a hint that there exists one more subdomain - secrethelpdesk934752.support.futurevera.thm
we need to add this too in /etc/hosts, open the website and you will get the flag.
Another approach - go and check the certificate of support.futurevera.thm, the DNS name field is your treasure.
Thanks for reading this write-up, you can follow me on Twitter for more amazing content like this. Also, feel free to ask your doubts on Twitter by tagging me, and I will surely reply with the required help.