# Write-up

### <mark style="color:purple;">Objectives</mark>

* Enumerate subdomains to identify possible security misconfigurations.
* Analyze SSL certificates to discover additional subdomains.
* Access exposed sensitive resources and retrieve the flag.

***

### <mark style="color:purple;">Reconnaissance</mark>

First, we added `futurevera.thm` to the `/etc/hosts` file to resolve the domain locally.\
Next, we performed a fast and aggressive port scan using:

```bash
sudo nmap -sCV -Pn -T5 -F <IP_VICTIM>
```

The results showed three open ports:

* 22/tcp (SSH)
* 80/tcp (HTTP - redirecting to HTTPS)
* 443/tcp (HTTPS)

Given the challenge description mentioning a rebuilding support system, we guessed a potential subdomain: `support.futurevera.thm`.\
We manually added it to `/etc/hosts` and attempted to access it via browser.

Upon accessing `https://support.futurevera.thm`, the site loaded successfully but did not immediately reveal sensitive information.

At this point, we inspected the SSL certificate used by the web server.\
By examining the **Subject Alternative Names (SAN)** section of the certificate, we identified an additional subdomain that was not initially mentioned:\
`https://secret******-support.futurevera.thm`

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXekyltqe1KmQGkB06LNIeUunGkham2NFw2waFb9m5RDf8Nz4fyeaDHTyQAKrcRvkw6bZ7rond94r8lo9Ks4c_WOX5KiviR1lVWEMEV9n2bomU9XZ81DhLSd4G8AC603E4BsWThTmA?key=1uHk5UM2we3u67VvQulF7JN8" alt=""><figcaption></figcaption></figure>

We then added this newly discovered subdomain to `/etc/hosts` and navigated to it via the browser.

Accessing `https://secret******-support.futurevera.thm` directly led us to a page displaying the flag, successfully completing the challenge.