Attacking Common Applications, Skills Assessment II

“What is the URL of the third vhost?”

I was able to identify two additional vhosts, one for the blog and other running an alternative version of the inlanefreight website. However, both are not connected to the application in the next question, which I could locate via directory brute forcing.

Any hints how to locate the third vhost?

Furthermore, I have tried brute-forcing the admin password for the webform without success. Am I on the right track with that approach?

Search the GitLab carefully. Then you will find the answers to your questions.
You probably won’t be able to bruteforce the password.

Yes, I went through Gitlab one more time and already found it!
The could also locate all the vhosts via brute forcing. Many thanks!