Technical Report
Detailed analysis for technical teams, covering methodologies, tools, and findings.
Technical Security Report: "TakeOver" System
Purpose of the Report
The purpose of this report is to document the methodology and findings obtained during the security assessment of the Takeover machine. The main objective was to identify weaknesses related to subdomain management and SSL certificate exposure.
Methodology
Modify local DNS resolution to access the target domain.
Perform network and service enumeration.
Identify potential subdomains through logical deduction and SSL certificate analysis.
Access internal resources exposed via misconfigured subdomains.
Detailed Findings
1. Reconnaissance
After adding futurevera.thm to the /etc/hosts file, a network scan using Nmap (-sCV -Pn -T5 -F) revealed three open ports:
22/tcp (SSH) – OpenSSH 8.x
80/tcp (HTTP) – Redirecting to HTTPS
443/tcp (HTTPS) – Web server secured with SSL
Initial browsing of https://futurevera.thm hinted at an ongoing rebuild of the support service, suggesting the possible existence of a support subdomain.
Privilege Escalation
No privilege escalation techniques were required.
However, through further manual testing:
We manually added
support.futurevera.thmto the/etc/hostsfile.Upon accessing
https://support.futurevera.thm, no sensitive data was immediately visible.Inspection of the SSL certificate revealed an additional subdomain:
https://secret******-support.futurevera.thm.
After adding https://secret******-support.futurevera.thm to /etc/hosts and accessing it, we discovered a page displaying sensitive information, namely the flag, thus completing the machine’s challenge.
Conclusion
The Takeover machine demonstrated how improper management of SSL certificates and subdomains can expose sensitive resources. The internal support site was inadvertently revealed through SSL certificate enumeration, representing a real-world example of data leakage due to incomplete access control and subdomain oversight.
Last updated