Challenges: Takeover (TryHackMe)
In this Capture The Flag (CTF) challenge titled Takeover, we are tasked with assisting Futurevera, a fictional space research company, whose online infrastructure might be at risk of being compromised. The company reports that blackhat hackers have claimed they can take over parts of the site, demanding a ransom. Our goal is to investigate potential weaknesses by performing subdomain enumeration to uncover hidden or forgotten services that could be exploited.
To begin, we map the domain futurevera.thm to the provided IP address via /etc/hosts. We then perform reconnaissance using tools like nmap to identify open ports and services, and ffuf to brute-force potential subdomains. Our focus is on enumeration — a key step in ethical hacking and CTFs, which helps us discover hidden domains that may reveal the flag or sensitive access points.
Help Us
Start Machine
Hello there,
I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.
Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.
Our website is located at https://futurevera.thm
Hint: Don't forget to add the 10.10.209.47 in /etc/hosts for futurevera.thm ; )
Answer the questions below
What's the value of the flag?
flag{beea0d6edfcee06a59b83fb50ae81b2f}nano /etc/hosts
add<IP_Address> futurevera.thm
checking nmap -sC -sV <IP_Address>
# Ports Open:
22/tcp → SSH (OpenSSH 8.2p1)
80/tcp → HTTP (Apache 2.4.41)
443/tcp → HTTPS (Apache 2.4.41)
We're looking for a flag by enumerating the subdomains of futurevera.thm.
We’ll use ffuf to enumerate in order to actively discover names associated with the domain (futurevera.thm) that might reveal our flag
ffuf -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.futurevera.thm" -u https://futurevera.thm -fw 1
ffuf -c -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-110000.txt \ -H "Host: FUZZ.futurevera.thm" -u https://futurevera.thm \ -fs 1234 -fw 10 -fl 14
(some of the output)
🧠 Why is enumeration important in CTFs and pentesting?
Because subdomains:
Might be forgotten or misconfigured by developers
Can expose admin panels, test environments, APIs, etc.
May contain vulnerabilities that the main site doesn’t
🛠️ Types of Subdomain Enumeration
| Method | Description |
| Brute Force (Wordlist) | Try known words against a domain (e.g., admin, test) |
| Passive (OSINT) | Use public data, like VirusTotal, crt.sh, search engines |
| Certificate Analysis | Look at SSL certs for embedded subdomain names |
| DNS Records | Query DNS for known names (like with dig or dnsrecon) |
| VHost Fuzzing | Try subdomains in Host: headers with tools like ffuf |
adding support.futurevera.thm to the /etc/hosts
replace the /etc/hosts changes with this one:
<IP_ADDRESS> secrethelpdesk934752.support.futurevera.thm
This challenge highlights the importance of subdomain enumeration in real-world cybersecurity testing. Misconfigured or forgotten subdomains often become the weakest link in otherwise secure infrastructures. By using tools like ffuf and analyzing SSL certificates, we were able to simulate how attackers might uncover hidden assets, reinforcing why continuous monitoring and cleanup of DNS entries are essential for organizations.
