Write-up

Step-by-step guide on the approach taken to pwn the machine.

Objectives

• Enumerate subdomains to identify possible security misconfigurations.

• Analyze SSL certificates to discover additional subdomains.

• Access exposed sensitive resources and retrieve the flag.

---

Reconnaissance

First, we added futurevera.thm to the /etc/hosts file to resolve the domain locally. Next, we performed a fast and aggressive port scan using:

sudo nmap -sCV -Pn -T5 -F <IP_VICTIM>

The results showed three open ports:

• 22/tcp (SSH)

• 80/tcp (HTTP - redirecting to HTTPS)

• 443/tcp (HTTPS)

Given the challenge description mentioning a rebuilding support system, we guessed a potential subdomain: support.futurevera.thm. We manually added it to /etc/hosts and attempted to access it via browser.

Upon accessing https://support.futurevera.thm, the site loaded successfully but did not immediately reveal sensitive information.

At this point, we inspected the SSL certificate used by the web server. By examining the Subject Alternative Names (SAN) section of the certificate, we identified an additional subdomain that was not initially mentioned: https://secret******-support.futurevera.thm

We then added this newly discovered subdomain to /etc/hosts and navigated to it via the browser.

Accessing https://secret******-support.futurevera.thm directly led us to a page displaying the flag, successfully completing the challenge.