Scribd
Upload
25 views8 pages

CTF - TakeOver - Braice-1

Uploaded by

Cristiano Chagas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
25 views8 pages

CTF - TakeOver - Braice-1

Uploaded by

Cristiano Chagas
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 8

Adicionei o DNS ao hosts para poder acessar com o nome do site

NMAP
Utilizei o Ffuf para enumerar os domínios e encontrei dois “blog” e “support”
Adicionei ao hosts da mesma forma

Utilizei o NMAP nos domínios que encontrei utilizando o script do SSL

Support
┌──(root㉿kali)-[~]
└─# nmap --script=ssl-cert support.futurevera.thm
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 23:17 -03
Nmap scan report for support.futurevera.thm (10.10.83.122)
Host is up (0.21s latency).
rDNS record for 10.10.83.122: futurevera.thm
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
| ssl-cert: Subject:
commonName=support.futurevera.thm/organizationName=Futurevera/stateOrProvinceNam
e=Oregon/countryName=US
| Subject Alternative Name: DNS:secrethelpdesk934752.support.futurevera.thm
| Issuer:
commonName=support.futurevera.thm/organizationName=Futurevera/stateOrProvinceNam
e=Oregon/countryName=US
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-13T14:26:24
| Not valid after: 2024-03-12T14:26:24
| MD5: aef3dd042e6ae9196b68ac30c2d1177a
|_SHA-1: d62ec5cadbe8c933359faa67f0adf6e7e4fee395

Nmap done: 1 IP address (1 host up) scanned in 3.75 seconds

Blog
┌──(root㉿kali)-[~]
└─# nmap --script=ssl-cert blog.futurevera.thm -v
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-26 23:13 -03
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating Ping Scan at 23:13
Scanning blog.futurevera.thm (10.10.83.122) [4 ports]
Completed Ping Scan at 23:13, 0.24s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:13
Scanning blog.futurevera.thm (10.10.83.122) [1000 ports]
Discovered open port 443/tcp on 10.10.83.122
Discovered open port 22/tcp on 10.10.83.122
Discovered open port 80/tcp on 10.10.83.122
Completed SYN Stealth Scan at 23:13, 3.31s elapsed (1000 total ports)
NSE: Script scanning 10.10.83.122.
Initiating NSE at 23:13
Completed NSE at 23:13, 0.85s elapsed
Nmap scan report for blog.futurevera.thm (10.10.83.122)
Host is up (0.21s latency).
rDNS record for 10.10.83.122: futurevera.thm
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
| ssl-cert: Subject:
commonName=blog.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=O
regon/countryName=US/localityName=Portland/organizationalUnitName=Thm
| Issuer:
commonName=blog.futurevera.thm/organizationName=Futurevera/stateOrProvinceName=O
regon/countryName=US/localityName=Portland/organizationalUnitName=Thm
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-13T10:22:57
| Not valid after: 2023-03-13T10:22:57
| MD5: 8df0656c3814dd46c6ed5371e007d0e9
| SHA-1: 6641a3bdc9f787f0bc84171abce4897b3711d28e
| -----BEGIN CERTIFICATE-----
| MIIDxTCCAq2gAwIBAgIUJie9L3vwGYpL8luc5TrjUcrvsbgwDQYJKoZIhvcNAQEL
|
BQAwcjELMAkGA1UEBhMCVVMxDzANBgNVBAgMBk9yZWdvbjERMA8GA1UEBwwIUG9y
|
dGxhbmQxEzARBgNVBAoMCkZ1dHVyZXZlcmExDDAKBgNVBAsMA1RobTEcMBoGA1UE
| AwwTYmxvZy5mdXR1cmV2ZXJhLnRobTAeFw0yMjAzMTMxMDIyNTdaFw0yMzAzMTMx
| MDIyNTdaMHIxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xETAPBgNVBAcM
|
CFBvcnRsYW5kMRMwEQYDVQQKDApGdXR1cmV2ZXJhMQwwCgYDVQQLDANUaG0xH
DAa
| BgNVBAMME2Jsb2cuZnV0dXJldmVyYS50aG0wggEiMA0GCSqGSIb3DQEBAQUAA4IB
| DwAwggEKAoIBAQDLb/c9he3qhs9H7OwS+pRejtkc984rK5VGiQU1fBlHS9j90Jze
| NWEtMy3xVlqS8aBxBZCw0AgT2lb/GPk5pvnm9QqRDGGEoAViBQ/GJlSN5uzJmx3D
| KyGq0/XznTVfqXUfZciR+LQxXTeXyP2L+OFdRvSiLPnQExkN6Aeii4yhfIRsBE/W
| J99Pc7pJHngpwx6KbSv8cO9euG/GfS4aV6EovopYiLuIbDTdokFh9YLVioo7VAvN
| ZMv3ALq6qBNRxn+3QNFCCoMFsTQh6KIGAKtqra6pVo10UP8c9mKb/6peHKUZ1AEP
| s0tIOLyD8aXl5Tk01xxgB0iz6TKxV4/cQnh5AgMBAAGjUzBRMB0GA1UdDgQWBBRk
| ctuhbchdiLIibTgc2mh+4JAiYTAfBgNVHSMEGDAWgBRkctuhbchdiLIibTgc2mh+
| 4JAiYTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQARfZJ/c05S
| BpXJzgHCIrnda/18cfgLJnJXedN9VXNH/Dywr2JRioigzPbNFBjnAw1xo14T82QF
| Y4jkDLw/PQMDgkC70rotYa3Fm58oaGOUpnv8rbNR8jvX6omlwNQHncxWNzqMTFMZ
| GZkn5Xn3UjP+GBsqQZ+vcYp8pKB7Cy69BWKahEJQHRmXC2iyOcOfhz85wzO1dJKz
| fZ4OTTd7IaTwvaPNc6J0flGidEBXQOydOF/M9aQKK7nrERZzY09U7WwgvPrr03ng
| NQCf6Q/rrb4W0plWdL2AEZASQtsU1sqA1WUrttOsfZvaLFyzDOQgF3tNGeWE2RP6
| zHh0LjHZJfsZ
|_-----END CERTIFICATE-----

NSE: Script Post-scanning.


Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 4.73 seconds
Raw packets sent: 1004 (44.152KB) | Rcvd: 1001 (40.040KB)
Peguei o subdomínio que foi mostrado no NMAP do support e inseri nos hosts também

Quando acessei na mensagem de erro estava a flag da room.

You might also like