This challenge revolves around subdomain enumeration.
make sure to add the subdomain to /etc/hosts before opening
echo 10.10.149.64 futurevera.thm >> /etc/hosts
now, we are able to view that page
try to scan dns with nmap
nmap -sS --script dns-* 10.10.149.64
nothing found from nmap, source code is the same
let's enum with ffuz for http
ffuf -w /usr/share/wordlists/dirb/common.txt -u "http://10.10.149.64" -H "Host: FUZZ.futurevera.thm" -fw 1
remember to add it to /etc/hosts
echo 10.10.149.64 portal.futurevera.thm >> /etc/hosts
go to portal.futurevera.thm
enum again with ffuz for https
ffuf -w /usr/share/wordlists/dirb/common.txt -u "https://10.10.149.64" -H "Host: FUZZ.futurevera.thm" -fw 1511
echo 10.10.149.64 blog.futurevera.thm >> /etc/hosts
echo 10.10.149.64 support.futurevera.thm >> /etc/hosts
we have a blog
and a support page
check the website's certificate
you with found a secret dns here
echo 10.10.149.64 secrethelpdesk934752.support.futurevera.thm >> /etc/hosts
go to http://secrethelpdesk934752.support.futurevera.thm
you will see it redirect to a website contain our flag
| Flag | flag |
|---|---|
| Answer | flag{beea0d6edfcee06a59b83fb50ae81b2f} |