TakeOver - Tryhackme

As the room description says that it revolves around subdomain enumeration.
We start with subdomain enumeration.
First we need to add the address (futurevera.thm) to our /etc/hosts file.

Then we perform subdomain enumeration using the tool ffuf on http protocol.

$ ffuf -u <http://futurevera.thm/> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.futurevera.thm" -fs 0   
                           
                                                                                                                                                                            
        /'___\  /'___\           /'___\                                                                                                                                     
       /\ \__/ /\ \__/  __  __  /\ \__/                                                                                                                                     
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\                                                                                                                                    
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/                                                                                                                                    
         \ \_\   \ \_\  \ \____/  \ \_\                                                                                                                                     
          \/_/    \/_/   \/___/    \/_/                                                                                                                                     

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : <http://futurevera.thm/>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.futurevera.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 0

portal                  [Status: 200, Size: 69, Words: 9, Lines: 2, Duration: 487ms]
payroll                 [Status: 200, Size: 70, Words: 9, Lines: 2, Duration: 667ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

Used the -fs flag to enumerate responses of 0 size.
Got two subdomains, and added them in the /etc/hosts file
Visited http://portal.futurevera.thm and http://payroll.futurevera.thm but nothing interesting there.

Also checked the certificates but got nothing interesting.
Then performed subdomain enumeration with the https protocol.

But it was giving many responses with same response size i.e. 4605.
Hence, used response filter and again run the command.

$ ffuf -u <https://10.10.203.180/> -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.futurevera.thm" -fs 4605

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : <https://10.10.203.180/>
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.futurevera.thm
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 4605
________________________________________________

support                 [Status: 200, Size: 1522, Words: 367, Lines: 34, Duration: 1431ms]
blog                    [Status: 200, Size: 3838, Words: 1326, Lines: 81, Duration: 416ms]

Got two subdomains and added them in /etc/hosts file.