HackTheBox - Information Gathering - Web Edition - Skills Assessment Walkthrough

Scenario

To complete the skills assessment, answer the questions below. You will need to apply a variety of skills learned in this module, including:

• Using whois

• Analysing robots.txt

• Performing subdomain bruteforcing

• Crawling and analysing results

Demonstrate your proficiency by effectively utilizing these techniques. Remember to add subdomains to your hosts file as you discover them.

Walkthrough

Target system - 94.237.61.242:44022

Domain - inlanefreight.htb

Before we start, add the domain and its IP address to the /etc/hosts file:

sudo sh -c 'echo "94.237.61.242 inlanefreight.htb">> /etc/hosts'

Q1 - What is the IANA ID of the registrar of the inlanefreight.htb domain?

Solution:

Just run:

whois inlanefreight.com

Q2 - What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.

Solution:

Let’s use curl:

curl -I http://inlanefreight.htb:44022

And we will get:

Q3 - What is the API key in the hidden admin directory that you have discovered on the target system?

Solution:

We need to find an API key that is in hidden admin directory. To do that, we need to fuzz directories on inlanefreight.htb:

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://inlanefreight.htb:44022/FUZZ

No results, even when using other directory wordlists.

The next step is to find subdomains, which may also contain hidden directories.

I’ll use two methods: subdomain fuzzing and virtual host (vhost) fuzzing - both with ffuf.

First, subdomain fuzzing:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://FUZZ.inlanefreight.htb:44022/

No results.

Next, vhost fuzzing:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:44022/ -H "Host: FUZZ.inlanefreight.htb"

It looks like there are many results, but they're just default responses from the domain when the Host header contains a non-existent subdomain. Let's add -fs 120:

We successfully discovered a subdomain: web1337.inlanefreight.htb!

Add it to /etc/hosts:

sudo sh -c 'echo "94.237.61.242 web1337.inlanefreight.htb">> /etc/hosts'

Now, run directory fuzzing on the discovered subdomain:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt:FUZZ -u http://web1337.inlanefreight.htb:44022/FUZZ

Found two files: index.html and robots.txt (the latter is a common file found on most websites).

Let’s navigate to each of them:

We found a hidden admin directory listed in robots.txt !

Let’s use curl:

And we found the API key !

Q4 - After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

Solution:

First download and install scrapy and ReconSpide.py.

To find the email address, we’ll crawl both http://inlanefreight.htb:44022 and http://web1337.inlanefreight.htb:44022:

python3 ReconSpider.py http://inlanefreight.htb:44022

python3 ReconSpider.py http://web1337.inlanefreight.htb:44022

Both results.json files are empty:

Since we haven’t found anything yet, we need to explore further. Let’s check the subdomains of http://web1337.inlanefreight.htb:44022.

Using the same methods as before, we’ll start with subdomain fuzzing:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://FUZZ.web1337.inlanefreight.htb:44022/

No results.

Next, we’ll perform vhost fuzzing:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://web1337.inlanefreight.htb:44022/ -H "Host: FUZZ.web1337.inlanefreight.htb"

Again, add -fs 120 to filter out invalid results:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://web1337.inlanefreight.htb:44022/ -H "Host: FUZZ.web1337.inlanefreight.htb" -fs 120

And we found a new subdomain: http://dev.web1337.inlanefreight.htb:44022!

Make sure to add this subdomain to your /etc/hosts file:

sudo sh -c 'echo "94.237.61.242 dev.web1337.inlanefreight.htb">> /etc/hosts'

Next, crawl the new subdomain:

python3 ReconSpider.py http://dev.web1337.inlanefreight.htb:44022

And we found the email address ! 🎉

Q5 - What is the API key the inlanefreight.htb developers will be changing too?

Solution:

If we continue examining the results.json file from crawling the subdomain http://dev.web1337.inlanefreight.htb:44022, we can also notice something near the bottom:

We found the API key that the developer plans to change !