Information gathering - web edition

Hi guys, I need some help to solve and answer the last question of the Skills Assessment of INFORMATION GATHERING - WEB EDITION. I trying anything and don’t found the correct answer, I tried with ffuf and gobuster subdomain enum, with the next syntax:

For gobuster I used for a some pattern:

 gobuster dns -q -r "dns1.p08.nsone.net" -d "githubapp.com" -w "~/seclist/fuzzing/1-4_all_letters_a-z.txt" -p ./patterns.txt -o "gobuster_subdomain.txt"

And the pattern I used is:

glb-{GOBUSTER}-public-internal.githubapp.com

For ffuf I used the next syntax:

ffuf -w ~/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.githubapp.com -t 90 

With ffuf I found some subdomians but, none one of this subdomains is the answer. I don’t know if I using the wrong wordlist or even the patter I guess is wrong too. I’m so exahust to try found the correct answer without success. If anyone know where I failed pls telling me.

Are you looking for a subdomain or a vhost? Ffuf vhost syntax is different…

I’m looking a subdomain, for more context, this is the question which I want to respond:
“Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word ‘elephants’ in the name?”

As I said, I perfomed a subdomain enumaration with gobuster and ffuf, with the next syntax that I showed earlier. But the subdomians that I found with this enumeration, none one is the answer and don’t seen any subdomain with the word “elephants” on their name. Even I performed vhost enum, but the result is the same that the subdomain enumeration. I don’t have idea what I doing wrong, if is the syntax or is the word list. Really need a some help with this, I’m stuck for 2 days with this question.

Hey! I had trouble with this one as well, I think I ended up using a passive approach because the active one didn’t work even with Sublist3r. DM me if you have trouble with it.

-onthesauce

Did anyone get the third question? I’m use dig and I got the CNAME. When I dig that I get an IP address that takes me to a page that doesn’t function. Anyone that has finished the module do you have any hints?

I tried every tool discussed, including Sublist3r and subscraper and still nothing.

A friend suggested trying https://subdomainfinder.c99.nl/

I would love to know how others accomplished this with the tools discussed.

hey man thanks for this!! I literally tried everything from the module/hints and even some outside tools that i have from github. Nothing seemed to work except this.

I will share my experience!
The module is very interesting and practical.
There was a difficult moment on “Active Subdomain Enumeration”
But then everything went smoothly (thanks a lot - onthesauce)
I was waiting for big problems on “Skills Assessment”, but it turned out to be much clearer than expected!!!)

Thanks @digitalohm, I have solved the last question with “https://subdomainfinder.c99.nl/”. At first I used the “sublist3r” tool and it didn’t work, but after several attempts it worked and I got the same results as using “https://subdomainfinder.c99.nl/”.

If you are working on this and still cant get the answer use @digitalohm solution. (https://subdomainfinder.c99.nl/) but use the “More scans of githubapp.com” at the bottom, and select a date before his post.

Thank you! Excellent website. You’re great Man!

Really thanks for this… try lot of webs and tools. This help me with the last question. Thanks again.

I’m having issues with the DNS section. It says to find which IP address maps to paydiant.com? I’ve tried everything and all I can find are two addresses that appear to be email addresses. MX1 and MX2. They have their own IP addresses but neither of them are the answer. Any help would be greatly appreciated.

Hey, I had the same problem just now, it seems that the site is down. I’ve found the IP by using online tools allowing you to search for old records for a given domain name.

Thanks for letting me know. I’ve checked about 15 to 20 different sites and I still can’t find the IP address. Any hints on where I might look for it?

Never mind. I found it. Thank you again for your suggestion.

It seems that PAYDIANT.com is down or something. So I had to search all over the internet for the answer of the first question.
I used this link:
Subdomain Finder scan of Paydiant.com - C99.nl
Go down until you reach the part of IP and Count and try the ips there.
One of those is the answer.

Try TheHarvester.

use crt.sh you’ll be able to “find” what you are looking for.

Same I was stressing out about the Active enumeration and Forgot about the Passive one!