back

 ·  1 min read

THM - TakeOver

Task 1: Help Us

Hello there,

I am the CEO and one of the co-founders of futurevera.thm. In Futurevera, we believe that the future is in space. We do a lot of space research and write blogs about it. We used to help students with space questions, but we are rebuilding our support.

Recently blackhat hackers approached us saying they could takeover and are asking us for a big ransom. Please help us to find what they can takeover.

Our website is located at https://futurevera.thm

Hint: Don’t forget to add the 10.48.130.209 in /etc/hosts for futurevera.thm ; )

Lets start- Starting with basic nmap scan against the target:

image

[!Breakdown] The command nmap 10.48.130.209 -oN nmapResult.txt performs a basic Nmap scan on the target IP address 10.48.130.209 and saves the results to a file named nmapResult.txt.

  • nmap 10.48.130.209: Runs the default scan, checking the 1,000 most common TCP ports on host 10.48.130.209 (likely the futurevera.thm machine from context).

  • -oN nmapResult.txt: Outputs results in “normal” human-readable format to that text file (same as screen output, plus scan command details at top). Screen still shows live results.

In the statement of the room, we are told the company is rebuilding their support. They may have a subdomain named support. Let’s add it to /etc/hosts, and see what we can find on this subdomain :

[!Breakdown]

The /etc/hosts file is a plain text configuration file on Linux/Unix systems used for local hostname resolution. It maps IP addresses to hostnames (or domain names), allowing your machine to resolve names directly without querying a DNS server. This is checked before DNS lookups, making it ideal for testing local servers, subdomains, or bypassing DNS in pentesting scenarios like TryHackMe rooms

image

add 10.48.130.209 futurevera.thm support.futurevera.thm

image

save and go the the browser and browse support.futurevera.thm

image

on the DNS Name there is an alternative subdomain and view certificate. Lets open the link:

image

we found the flag.

For more knowledge on subdomain takeover, some referance links (collected) :

Copyright © 2026 Mahidul Haque. This post is licensed under a CC BY-NC-ND 4.0 license. You may read, learn, and share links to this post for non‑commercial, educational purposes, as long as you give appropriate attribution. You may not copy, reproduce, adapt, distribute, or use this work commercially without explicit permission.