TryHackMe Takeover – Easy Subdomain Takeover Walkthrough

TryHackMe Takeover – Easy Subdomain Takeover Walkthrough

Lab Name: TakeOver
Platform: TryHackMe
Difficulty: Easy
Topic: Subdomain Enumeration & Subdomain Takeover

---

Overview

The TakeOver room on TryHackMe is an easy challenge that focuses on subdomain enumeration and identifying a subdomain takeover vulnerability. The lab mainly revolves around discovering hidden subdomains and analyzing SSL/TLS certificate data to uncover sensitive information.

---

Subdomain Enumeration

Initially, I tried using subfinder, but it did not return any useful results for this lab.
So, I switched to ffuf along with the SecLists wordlist.

Tool Used

👉 ffuf

👉 SecLists GitHub repository

👉 (subdomains-top1million-5000.txt)

ffuf Command

ffuf -u https://10.49.174.171 \
-w /home/kali/Downloads/subdomains-top1million-5000.txt \
-H "Host: FUZZ.futurevera.thm" \
-fs 4605

Discovered Subdomains

👉 blog.futurevera.thm

👉  support.futurevera.thm

---

Update /etc/hosts File

To access the discovered subdomains, add them to the hosts file.

echo "10.49.174.171 futurevera.thm" | sudo tee -a /etc/hosts
echo "10.49.174.171 blog.futurevera.thm support.futurevera.thm" | sudo tee -a /etc/hosts

---

SSL/TLS Certificate Analysis

There is an SSL/TLS certificate issue when accessing the subdomains using OpenSSL.
To bypass this, we can analyze the certificate using Nmap’s ssl-cert script.

Nmap Commands

nmap -p 443 --script ssl-cert blog.futurevera.thm
nmap -p 443 --script ssl-cert support.futurevera.thm

Interesting Finding

From the SSL certificate, the Subject Alternative Name (SAN) revealed:

DNS: secrethelpdesk934752.support.futurevera.thm

---

Finding the Flag

Open the discovered subdomain in the browser or use curl.

Using Browser

http://secrethelpdesk934752.support.futurevera.thm

This redirects to:

http://flag{0000000000000000000000000000000000}.s3-website-us-west-3.amazonaws.com/

---

Using curl

curl http://secrethelpdesk934752.support.futurevera.thm

Response

HTTP/1.1 302 Found
Date: Mon, 05 Jan 2026 13:51:06 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://flag{0000000000000000000000000000000000}.s3-website-us-west-3.amazonaws.com/
Content-Type: text/html; charset=UTF-8

🎉 Flag Successfully Retrieved!

---

Conclusion

This lab is a great introduction to:

This lab is a great introduction to:

👉 Subdomain fuzzing

👉 Virtual host discovery

👉 SSL certificate enumeration

👉 Real-world subdomain takeover concepts

Highly recommended for beginners in web exploitation and bug bounty hunting 🚀