Hi guys, I need some help to solve and answer the last question of the Skills Assessment of INFORMATION GATHERING - WEB EDITION. I trying anything and don’t found the correct answer, I tried with ffuf and gobuster subdomain enum, with the next syntax:

For gobuster I used for a some pattern:

 gobuster dns -q -r "dns1.p08.nsone.net" -d "githubapp.com" -w "~/seclist/fuzzing/1-4_all_letters_a-z.txt" -p ./patterns.txt -o "gobuster_subdomain.txt"

And the pattern I used is:

glb-{GOBUSTER}-public-internal.githubapp.com

For ffuf I used the next syntax:

ffuf -w ~/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.githubapp.com -t 90 

With ffuf I found some subdomians but, none one of this subdomains is the answer. I don’t know if I using the wrong wordlist or even the patter I guess is wrong too. I’m so exahust to try found the correct answer without success. If anyone know where I failed pls telling me.

Are you looking for a subdomain or a vhost? Ffuf vhost syntax is different…

I’m looking a subdomain, for more context, this is the question which I want to respond:
“Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word ‘elephants’ in the name?”

As I said, I perfomed a subdomain enumaration with gobuster and ffuf, with the next syntax that I showed earlier. But the subdomians that I found with this enumeration, none one is the answer and don’t seen any subdomain with the word “elephants” on their name. Even I performed vhost enum, but the result is the same that the subdomain enumeration. I don’t have idea what I doing wrong, if is the syntax or is the word list. Really need a some help with this, I’m stuck for 2 days with this question.

Hey! I had trouble with this one as well, I think I ended up using a passive approach because the active one didn’t work even with Sublist3r. DM me if you have trouble with it.

-onthesauce

Did anyone get the third question? I’m use dig and I got the CNAME. When I dig that I get an IP address that takes me to a page that doesn’t function. Anyone that has finished the module do you have any hints?

I tried every tool discussed, including Sublist3r and subscraper and still nothing.

A friend suggested trying https://subdomainfinder.c99.nl/

I would love to know how others accomplished this with the tools discussed.

hey man thanks for this!! I literally tried everything from the module/hints and even some outside tools that i have from github. Nothing seemed to work except this.

I will share my experience!
The module is very interesting and practical.
There was a difficult moment on “Active Subdomain Enumeration”
But then everything went smoothly (thanks a lot - onthesauce)
I was waiting for big problems on “Skills Assessment”, but it turned out to be much clearer than expected!!!)

Thanks @digitalohm, I have solved the last question with “https://subdomainfinder.c99.nl/”. At first I used the “sublist3r” tool and it didn’t work, but after several attempts it worked and I got the same results as using “https://subdomainfinder.c99.nl/”.