HackTheBox - Information Gathering - Web Edition - Skills Assessment Walkthrough


Scenario
To complete the skills assessment, answer the questions below. You will need to apply a variety of skills learned in this module, including:
Using
whois
Analysing
robots.txt
Performing subdomain bruteforcing
Crawling and analysing results
Demonstrate your proficiency by effectively utilizing these techniques. Remember to add subdomains to your hosts
file as you discover them.
Walkthrough
Target system - 94.237.61.242:44022
Domain - inlanefreight.htb
Before we start, add the domain and its IP address to the /etc/hosts
file:
sudo sh -c 'echo "94.237.61.242 inlanefreight.htb">> /etc/hosts'
Q1 - What is the IANA ID of the registrar of the inlanefreight.htb
domain?
Solution:
Just run:
whois inlanefreight.com
Q2 - What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.
Solution:
Let’s use curl
:
curl -I http://inlanefreight.htb:44022
And we will get:
Q3 - What is the API key in the hidden admin directory that you have discovered on the target system?
Solution:
We need to find an API key that is in hidden admin directory. To do that, we need to fuzz directories on inlanefreight.htb
:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://inlanefreight.htb:44022/FUZZ
No results, even when using other directory wordlists.
The next step is to find subdomains, which may also contain hidden directories.
I’ll use two methods: subdomain fuzzing and virtual host (vhost) fuzzing - both with ffuf
.
First, subdomain fuzzing:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://FUZZ.inlanefreight.htb:44022/
No results.
Next, vhost fuzzing:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:44022/ -H "Host: FUZZ.inlanefreight.htb"
It looks like there are many results, but they're just default responses from the domain when the Host
header contains a non-existent subdomain. Let's add -fs 120
:
We successfully discovered a subdomain: web1337.inlanefreight.htb
!
Add it to /etc/hosts
:
sudo sh -c 'echo "94.237.61.242 web1337.inlanefreight.htb">> /etc/hosts'
Now, run directory fuzzing on the discovered subdomain:
ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://web1337.inlanefreight.htb:44022/FUZZ
Found two files: index.html
and robots.txt
(the latter is a common file found on most websites).
Let’s navigate to each of them:
We found a hidden admin directory listed in robots.txt
!
Let’s use curl
:
And we found the API key !
Q4 - After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.
Solution:
First download and install scrapy
and ReconSpide.py
.
To find the email address, we’ll crawl both http://inlanefreight.htb:44022
and http://web1337.inlanefreight.htb:44022
:
python3 ReconSpider.py http://inlanefreight.htb:44022
python3 ReconSpider.py http://web1337.inlanefreight.htb:44022
Both results.json
files are empty:
Since we haven’t found anything yet, we need to explore further. Let’s check the subdomains of http://web1337.inlanefreight.htb:44022
.
Using the same methods as before, we’ll start with subdomain fuzzing:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://FUZZ.web1337.inlanefreight.htb:44022/
No results.
Next, we’ll perform vhost fuzzing:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://web1337.inlanefreight.htb:44022/ -H "Host: FUZZ.web1337.inlanefreight.htb"
Again, add -fs 120
to filter out invalid results:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://web1337.inlanefreight.htb:44022/ -H "Host: FUZZ.web1337.inlanefreight.htb" -fs 120
And we found a new subdomain: http://dev.web1337.inlanefreight.htb:44022
!
Make sure to add this subdomain to your /etc/hosts
file:
sudo sh -c 'echo "94.237.61.242 dev.web1337.inlanefreight.htb">> /etc/hosts'
Next, crawl the new subdomain:
python3 ReconSpider.py http://dev.web1337.inlanefreight.htb:44022
And we found the email address ! 🎉
Q5 - What is the API key the inlanefreight.htb developers will be changing too?
Solution:
If we continue examining the results.json
file from crawling the subdomain http://dev.web1337.inlanefreight.htb:44022
, we can also notice something near the bottom:
We found the API key that the developer plans to change !
Subscribe to my newsletter
Read articles from Ido Abramov directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
