Information Gathering - Skills Assessment#

To complete the skills assessment, answer the questions below. You will need to apply a variety of skills learned in this module, including:

• Using whois
• Analysing robots.txt
• Performing subdomain bruteforcing
• Crawling and analysing results

Demonstrate your proficiency by effectively utilizing these techniques. Remember to add subdomains to your hosts file as you discover them.

Questions#

• What is the IANA ID of the registrar of the inlanefreight.com domain?

┌──(alan㉿kali)-[~/Documents/]
└─$ whois inlanefreight.com

• What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.

┌──(alan㉿kali)-[~/Documents/]
└─$ curl -I 83.136.253.59:50288

• What is the API key in the hidden admin directory that you have discovered on the target system?

After adding the domain to /etc/hosts we start scanning with:
┌──(alan㉿kali)-[~/Documents/]
└─$ gobuster vhost -u http://inlanefreight.com -w '/home/alan/Downloads/lists/subdomains-top1million-110000.txt' --append-domain

We get one result and start scanning that one. In the next result we find that there is a robots.txt disallowing the hidden admin panel.

We use curl web1337.inlanefreight.htb:50288/*ADMIN-PANEL-FOUND*/
to get the API key.

• After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

A curl request to dev.web1337.inlanefreight.htb:50288/index.html show us that there’s a link to an index-334.html file. In that one there’s another link and so on. I started crawling with BURP, but then ended up using Intruder to brute force all the valid domains, and a regex search to get the email address.

• What is the API key the inlanefreight.htb developers will be changing too?

Same as before, the regex search was used to get the API key.