TakeOver
desc
Hello there,
I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.
Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.
Our website is located at https://futurevera.thm
Hint: Don't forget to add the MACHINE_IP in /etc/hosts for futurevera.thm ; )
solution
echo "10.49.135.28 futurevera.thm" | sudo tee -a /etc/hosts
ping futurevera.thm
# PING futurevera.thm (10.49.135.28) 56(84) bytes of data.
# 64 bytes from futurevera.thm (10.49.135.28): icmp_seq=1 ttl=64 time=2.52 ms
# 64 bytes from futurevera.thm (10.49.135.28): icmp_seq=2 ttl=64 time=0.304 mscurl -k https://futurevera.thmdisini saya mencoba mencari subdomain dengan menggunakan sublist3r, atau gunakan ffuf
ls /usr/share/seclists/Discovery/DNS/
# README.md fierce-hostlist.txt subdomains-top1million-110000.txt
# bitquark-subdomains-top100000.txt italian-subdomains.txt subdomains-top1million-20000.txt
# combined_subdomains.txt namelist.txt subdomains-top1million-5000.txt
# deepmagic.com-prefixes-top500.txt shubs-stackoverflow.txt tlds.txt
# deepmagic.com-prefixes-top50000.txt shubs-subdomains.txt
# dns-Jhaddix.txt sortedcombined-knock-dnsrecon-fierce-reconng.txt
sublist3r -d futurevera.thm
# belum nyoba
gobuster dns -d futurevera.thm -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
# belum nyoba
ffuf -u https://FUZZ.futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# gak nemu
ffuf -u https://FUZZ.futurevera.thm -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
# gak nemu
ffuf -u https://FUZZ.futurevera.thm -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
# gak nemugw nyerah dan gw cek wu ternyata salah commandya dong, harusnya pake -H "Host: FUZZ.futurevera.thm"
ffuf -u https://10.49.135.28/ -H "Host: FUZZ.futurevera.thm" -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
# hasilnya banyak rersponse cari sizenya lalu filter
ffuf -u https://10.49.135.28/ -H "Host: FUZZ.futurevera.thm" -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --fs 4605
# Blog [Status: 200, Size: 3838, Words: 1326, Lines: 81, Duration: 5ms]
# Support [Status: 200, Size: 1522, Words: 367, Lines: 34, Duration: 3ms]
# blog [Status: 200, Size: 3838, Words: 1326, Lines: 81, Duration: 5ms]
# support [Status: 200, Size: 1522, Words: 367, Lines: 34, Duration: 8ms]tambahkan kembali di /etc/hosts
echo "10.49.135.28 blog.futurevera.thm" | sudo tee -a /etc/hosts
echo "10.49.135.28 support.futurevera.thm" | sudo tee -a /etc/hostssetelah dibuka halaman https://blog.futurevera.thm, namun tidak ada yang menarik
lalu buka https://support.futurevera.thm, namun sama saja tidak menemukan apa apa
dan ketika kita coba cek informasi certifikat SSL nya ternyata terdapat 1 informasi Subject Alt Name yang menarik yaitu DNS Name secrethelpdesk934752.support.futurevera.thm
kita coba akses subdomain tersebut dengan menambahkan di /etc/hosts
echo "10.49.135.28 secrethelpdesk934752.support.futurevera.thm" | sudo tee -a /etc/hostssetelah itu akses halaman https://secrethelpdesk934752.support.futurevera.thm, namun tampilanya sama kaya tampilan page awal
curl -ki https://secrethelpdesk934752.support.futurevera.thm
# tidak menemmukan apa apadan saya penasaran dengan httpnya apakah bsia dan ternyata ada flagnya disana
curl -ik secrethelpdesk934752.support.futurevera.thm
# HTTP/1.1 302 Found
# Date: Tue, 06 Jan 2026 13:44:29 GMT
# Server: Apache/2.4.41 (Ubuntu)
# Location: http://flag{beea0d6edfcee06a59b83fb50ae81b2f}.s3-website-us-west-3.amazonaws.com/
# Content-Length: 0
# Content-Type: text/html; charset=UTF-8flag
flag{beea0d6edfcee06a59b83fb50ae81b2f}