TakeOver - TryHackMe
This machine is part of TryHackMe and is rated as an easy-level Linux challenge. While its rating suggests a straightforward box, TakeOver delivers a great hands-on introduction to SSL certificate inspection, subdomain enumeration, and host header exploitation. We’ll combine classical recon techniques with a bit of creativity to find hidden infrastructure and extract the final flag.
Let’s dive into the journey and explore the techniques used to crack TakeOver!
Recon
We start with a full TCP port scan using nmap:
1
nmap 10.10.220.238 -Ss -sV -sC -p- -oN nmapres
Results :
Nmap results
-
Port 22 (SSH) → OpenSSH 8.2p1
-
Port 80 (HTTP) → Apache 2.4.41
-
Port 443 (HTTPS) → Apache 2.4.41
Observations:
-
HTTP (80) redirects to HTTPS.
-
The SSL certificate on 443 is expired.
-
The cert metadata shows:
-
CN=futurevera.thm -
Organization: Futurevera
-
Location: Oregon, US
-
At this point, HTTPS appears to be the main attack surface.
Initial enumeration (Gobuster & Dirsearch)
Initial attempts with gobuster failed due to an expired SSL certificate :
1
gobuster dir -u https://futurevera.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words.txt > gobusterres
1
Error: tls: failed to verify certificate: x509: certificate has expired
To bypass this, we need to add the -k flag to ignore certificate validation :
1
gobuster dir -u https://futurevera.thm -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words.txt -k
Alternatively, dirsearch handles expired SSL certificates by default :
1
dirsearch -u https://futurevera.thm
Relevant findings:
-
/assets/and/js/returned 200 OK responses, confirming static frontend components. -
Multiple 403 Forbidden hits on
.ht*files (e.g.,.htaccess.bak1,.htpasswd_test), which suggests Apache hardening but potentially leaked backup files. -
/server-statusreturned a 403, indicating that mod_status is enabled but access is restricted.
No sensitive files exposed, but the server is revealing some clues about its structure.
SSL certificate analysis
Accessing https://futurevera.thm in the browser triggers a certificate warning due to expiration :
Using the “View Certificate” feature, we inspect the SSL certificate:
Unfortunately, this certificate doesn’t reveal anything useful—no alternative names or interesting fields.
We move forward by enumerating virtual hosts, as HTTPS-based subdomains are often mapped via host headers.
Subdomain enumeration
We use ffuf with a wordlist and set the Host header manually:
1
2
3
ffuf -u https://10.10.220.238 \
-w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-words.txt \
-H "Host: FUZZ.futurevera.thm" -fs 4605
The -fs 4605 flag filters out the default response size to reduce noise.
-
blog.futurevera.thm -
support.futurevera.thm
We add both entries to /etc/hosts for local resolution.
Inspecting support.futurevera.thm
Just like the main domain, visiting support.futurevera.thm shows another expired SSL certificate warning.
We again inspect the certificate in the browser.
This time, the certificate reveals a Subject Alternative Name (SAN) entry :
We now have a hidden subdomain!
We’ll add this subdomain to our /etc/hosts file and investigate it further.
Flag captured
After identifying the hidden subdomain {redacted}.support.futurevera.thm from the SSL certificate of support.futurevera.thm, we accessed it using curl.
We were immediately redirected to an external URL containing the flag :
1
curl -v http://{redacted}.support.futurevera.thm
We receive an immediate HTTP 302 Found response. The response includes a Location header that contains the full URL, within which the flag is clearly visible, wrapped in flag{}:
Congratulations! I hope you found this write-up insightful. This CTF was a solid exercise in careful SSL inspection, subdomain enumeration, and host header manipulation.
TakeOver shows how misconfigured certificates or overlooked metadata can expose hidden infrastructure, which can be leveraged to access unintended resources.
Thanks for reading, and happy hacking!