1
00:00:00,320 --> 00:00:06,500
In this video, we are going to solve the takeover room from Tryhackme, which is focused on Linux subdomain

2
00:00:06,500 --> 00:00:07,460
enumeration.

3
00:00:08,750 --> 00:00:10,580
The room description is very clear.

4
00:00:10,610 --> 00:00:17,540
We are given a website and we only have to first enumerate the subdomains and then find the flag from

5
00:00:17,540 --> 00:00:18,080
there.

6
00:00:18,910 --> 00:00:22,570
And there is only one question, which is to submit the flag.

7
00:00:24,030 --> 00:00:28,620
So click on access machines and download your OpenVPN credentials.

8
00:00:31,140 --> 00:00:34,050
I already have my credentials in my box.

9
00:00:37,170 --> 00:00:42,480
So open the terminal and connect to tryhackme VPN with sudo openvpn command.

10
00:00:50,710 --> 00:00:51,940
Now start your machine.

11
00:00:56,770 --> 00:00:59,080
It takes around a minute to start up.

12
00:01:01,600 --> 00:01:05,200
So on our Kali machine, we are connected with OpenVPN.

13
00:01:06,110 --> 00:01:08,600
Open a new tab and type in ifconfig.

14
00:01:10,320 --> 00:01:13,200
So we have a new interface with the name of Tunnel Zero.

15
00:01:16,700 --> 00:01:23,390
Now the next step is to have some word lists so that we can brute force the subdirectories and subdomains.

16
00:01:24,080 --> 00:01:27,560
You can install it with sudo apt install command.

17
00:01:29,400 --> 00:01:31,620
I already have checklists installed.

18
00:01:36,040 --> 00:01:41,440
So our target machine has started up this copy its IP address and try to ping it.

19
00:01:46,560 --> 00:01:47,850
Your target machine is up.

20
00:01:50,110 --> 00:01:52,180
Now let's scan the target with Nmap.

21
00:01:54,320 --> 00:01:56,540
The S is for stealth scan.

22
00:01:57,200 --> 00:02:01,520
S V is for version enumeration, and O is OS enumeration.

23
00:02:02,000 --> 00:02:04,680
We need to run this command with sudo privileges.

24
00:02:04,700 --> 00:02:06,080
Repeat the command with sudo.

25
00:02:10,210 --> 00:02:13,030
Now in another terminal, open your host file.

26
00:02:17,320 --> 00:02:20,410
Add the IP address of the machine and the domain name.

27
00:02:23,370 --> 00:02:24,270
They'll save it.

28
00:02:32,630 --> 00:02:34,670
For Nmap scan or back.

29
00:02:37,470 --> 00:02:43,020
And we can see that there are only three ports open for 2280 and 443.

30
00:02:44,530 --> 00:02:45,970
Now open the web browser.

31
00:02:49,370 --> 00:02:51,530
Let's visit the target website.

32
00:02:58,710 --> 00:03:01,230
So there is only a home page on the website.

33
00:03:02,320 --> 00:03:05,140
Let's try to brute force the subdomains.

34
00:03:08,320 --> 00:03:10,150
Let's first do it with go-buster.

35
00:03:10,870 --> 00:03:18,340
Just use the command Go-buster Vhost with and the dictionary file which is top 1 million from cyclist

36
00:03:18,640 --> 00:03:22,270
dash k flag ignores all certificate errors and dash dash.

37
00:03:22,300 --> 00:03:24,790
Append domain add domains to the word list.

38
00:03:26,010 --> 00:03:29,760
And we get to subdomains which are blog and support.

39
00:03:32,980 --> 00:03:35,910
Now let's try to enumerate subdomains with f.

40
00:03:37,780 --> 00:03:37,990
This.

41
00:03:37,990 --> 00:03:39,880
Use the command as shown on the screen.

42
00:03:40,770 --> 00:03:44,550
We are using the same word list Dash is for host.

43
00:03:44,640 --> 00:03:46,980
We are getting a lot of false positives.

44
00:03:47,580 --> 00:03:52,890
Just filter these results with dash flag and give it a size of 4605.

45
00:03:54,430 --> 00:03:58,750
And you can see that it has also listed blog and support subdomains.

46
00:03:59,380 --> 00:04:02,770
Let's try to enumerate Http version of the website.

47
00:04:04,780 --> 00:04:08,080
Does remove edge from https and repeat the command.

48
00:04:10,130 --> 00:04:12,080
Now change the filter size to zero.

49
00:04:16,649 --> 00:04:19,140
And we get two additional subdomains.

50
00:04:26,340 --> 00:04:29,610
Now let's add these subdomains to our host file.

51
00:04:29,880 --> 00:04:32,400
Open your host file and add these.

52
00:04:42,420 --> 00:04:44,520
Let's first of all, open the blog.

53
00:04:49,840 --> 00:04:53,170
If you get an error, click on advance and accept the risk.

54
00:04:59,010 --> 00:05:00,660
There is nothing important here.

55
00:05:01,290 --> 00:05:03,480
Let's just check its certificate.

56
00:05:06,400 --> 00:05:08,950
You can go to security and view certificate.

57
00:05:13,340 --> 00:05:14,990
There is nothing here as well.

58
00:05:21,790 --> 00:05:24,160
Now let's just visit the support page.

59
00:05:31,330 --> 00:05:32,830
The jacket certificate.

60
00:05:40,160 --> 00:05:43,880
And you can see that we get an additional sub domain in DNS name.

61
00:05:48,430 --> 00:05:51,160
Just visit it and you will get the flag.

62
00:05:54,800 --> 00:05:59,060
If you cannot visit the subdomain, just add the subdomain to your host file.

63
00:06:00,700 --> 00:06:03,010
Now just copy this flag and paste it in.

64
00:06:03,010 --> 00:06:03,700
Try hack me.

65
00:06:05,980 --> 00:06:11,980
And click submit and we have successfully completed takeover room from Tryhackme.