Information gathering - web edition

0xh4rtz · January 10, 2022, 11:59pm

Hi guys, I need some help to solve and answer the last question of the Skills Assessment of INFORMATION GATHERING - WEB EDITION. I trying anything and don’t found the correct answer, I tried with ffuf and gobuster subdomain enum, with the next syntax:

For gobuster I used for a some pattern:

 gobuster dns -q -r "dns1.p08.nsone.net" -d "githubapp.com" -w "~/seclist/fuzzing/1-4_all_letters_a-z.txt" -p ./patterns.txt -o "gobuster_subdomain.txt"

And the pattern I used is:

glb-{GOBUSTER}-public-internal.githubapp.com

For ffuf I used the next syntax:

ffuf -w ~/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.githubapp.com -t 90

With ffuf I found some subdomians but, none one of this subdomains is the answer. I don’t know if I using the wrong wordlist or even the patter I guess is wrong too. I’m so exahust to try found the correct answer without success. If anyone know where I failed pls telling me.

sirius3000 · January 11, 2022, 10:16am

Are you looking for a subdomain or a vhost? Ffuf vhost syntax is different…

0xh4rtz · January 11, 2022, 10:16pm

I’m looking a subdomain, for more context, this is the question which I want to respond:
“Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word ‘elephants’ in the name?”

As I said, I perfomed a subdomain enumaration with gobuster and ffuf, with the next syntax that I showed earlier. But the subdomians that I found with this enumeration, none one is the answer and don’t seen any subdomain with the word “elephants” on their name. Even I performed vhost enum, but the result is the same that the subdomain enumeration. I don’t have idea what I doing wrong, if is the syntax or is the word list. Really need a some help with this, I’m stuck for 2 days with this question.

onthesauce · January 12, 2022, 3:29pm

Hey! I had trouble with this one as well, I think I ended up using a passive approach because the active one didn’t work even with Sublist3r. DM me if you have trouble with it.

-onthesauce

QuickFix914 · May 9, 2022, 7:31pm

Did anyone get the third question? I’m use dig and I got the CNAME. When I dig that I get an IP address that takes me to a page that doesn’t function. Anyone that has finished the module do you have any hints?

digitalohm · May 12, 2022, 3:17pm

I tried every tool discussed, including Sublist3r and subscraper and still nothing.

A friend suggested trying https://subdomainfinder.c99.nl/

I would love to know how others accomplished this with the tools discussed.

skiddie762 · June 4, 2022, 3:14pm

hey man thanks for this!! I literally tried everything from the module/hints and even some outside tools that i have from github. Nothing seemed to work except this.

Darcia · June 27, 2022, 2:58pm

I will share my experience!
The module is very interesting and practical.
There was a difficult moment on “Active Subdomain Enumeration”
But then everything went smoothly (thanks a lot - onthesauce)
I was waiting for big problems on “Skills Assessment”, but it turned out to be much clearer than expected!!!)

Ezi0 · July 23, 2022, 7:42pm

Thanks @digitalohm, I have solved the last question with “https://subdomainfinder.c99.nl/”. At first I used the “sublist3r” tool and it didn’t work, but after several attempts it worked and I got the same results as using “https://subdomainfinder.c99.nl/”.

johnnyvims · September 20, 2022, 2:14am

If you are working on this and still cant get the answer use @digitalohm solution. (https://subdomainfinder.c99.nl/) but use the “More scans of githubapp.com” at the bottom, and select a date before his post.

likid · October 11, 2022, 9:39pm

Thank you! Excellent website. You’re great Man!

Mr_Pachin · October 25, 2022, 3:13pm

Really thanks for this… try lot of webs and tools. This help me with the last question. Thanks again.

BryRam7219 · February 2, 2023, 1:49am

I’m having issues with the DNS section. It says to find which IP address maps to paydiant.com? I’ve tried everything and all I can find are two addresses that appear to be email addresses. MX1 and MX2. They have their own IP addresses but neither of them are the answer. Any help would be greatly appreciated.

Dareck · February 2, 2023, 12:56pm

Hey, I had the same problem just now, it seems that the site is down. I’ve found the IP by using online tools allowing you to search for old records for a given domain name.

BryRam7219 · February 2, 2023, 10:05pm

Thanks for letting me know. I’ve checked about 15 to 20 different sites and I still can’t find the IP address. Any hints on where I might look for it?

BryRam7219 · February 4, 2023, 2:48am

Never mind. I found it. Thank you again for your suggestion.

AlphaCoding · February 4, 2023, 5:13am

It seems that PAYDIANT.com is down or something. So I had to search all over the internet for the answer of the first question.
I used this link:
Subdomain Finder scan of Paydiant.com - C99.nl
Go down until you reach the part of IP and Count and try the ips there.
One of those is the answer.

lefanzizou · March 15, 2023, 11:17pm

Try TheHarvester.

tteh · August 16, 2023, 7:49pm

use crt.sh you’ll be able to “find” what you are looking for.

H1v3 · February 13, 2024, 6:40pm

Same I was stressing out about the Active enumeration and Forgot about the Passive one!