Information gathering - web edition

What other subdomains popped up?

Initially when i ran gobuster with namelist.txt, I got 21 subdomains, such as webxxx, sxx, sxx, wxx, ex. but all of these sub domains have a status of 400. When I ran gobuster with subdomains-top1million-110000.txt, append-domain, I get nothing

me too and it’s been a nightmare trying to figure out the last question

I found the answers for the last two questions before the third one lol. Use the subdomain top1million 11000.txt but dont forget to add that subdomain to hosts

1 Like

Finally got it!

2 Likes

Can anyone give me a nude on how to get the email address form the domain? I am stuck for the last couple of hours in finding it.

I found two additional subdomains. One of them has a file "robots.txt "The other one DOESN’T. Should I find 3 or 4 more subdomains? How many are there?
I understood correctly that I will find the API in the file "robots.txt "??

I found a subdomain of developers, but I can’t figure out where the “API” itself is hiding?
“finalrecon” he doesn’t find anything.

Im using the following to enumerate subdomains and getting nothing. could someone take a look at my cmd and vhost file and tell what I’m missing?

└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://94.237.63.97:51508 -H 'Host: FUZZ.inlanefreight.htb' -fs 120

vhost file snipped (have tried with and without the port) Not sure which one would be correct since they both produce the same result.

94.237.63.97:51508    inlanfreight.htb
94.237.63.97    inlanefreight.htb

Hi @eagle005, dandyloco explained it well, enumarete vhost first - there will be multiple subdomains (one on top of another) and on the last subdomain use ReconSpider to find e-mail address.

@REVSHELL69 put IP address without port to /etc/hosts

Does anyone found an answer for " What is the API key in the hidden admin directory that you have discovered on the target system? " ??
I found one robots.txt in one of the subdomains where it’s listed admin_XXX but denied. When I go to the specified URL I am getting 301 (moved permanently).

Found two subdomains but cant find the working /admin
I also tried with enumaration with common.txt from seclist but with no luck…

Any clues for where to find the API key ??

1 Like

Yay good job! Its not easy but with patience and determination you can do it.

Have you tried curling any of the sub domains with that robot.txt file?

Check that page in a browser. Take your time combing through the subdomains

It is necessary to use the curl tool for the found sites. I didn’t really understand
There is a robots file on one subdomain, but not on the other. I just have to find the API key somehow. And the tools refuse to work.
Is there an alternative to finding him? :((

Hi @oziesiek I have found sub-domains and the API Key. I tried a lot of different things and crawled everything using zap-proxy but I am not able to find the mail and the Second API key. Did you able to complete this?

hi @eagle005
yes for me it was easier, you simply need to run ReconSpider on the second subdomain, and email with API should be written to results.json

Hi, @oziesiek ReconSpider is not working in the PWN box. I tried installing but not working. Is there any other way ?

maybe this will be useful for you, @Jomomo05 from this topic helped me a lot with this one, let me quote him:
" Assuming that you already found the robots.txt file, you have to use gobuster on dir mode using the URL of the disallowed domain AND the disallowed directory. "
in example: subdomain.inlanefreight.htb:1234/directory/"

1 Like

Finally, I have completed this skill assessment. :slight_smile:

Thanks @oziesiek for helping me.

1 Like

in my env it also doesn’t work so I created env in terminal ,next install library and run the tool:
python3 -m venv myenv
source myenv/bin/activate
and then pip install lib_name
python3 reconspider.py

glad that you made it! :muscle:

After scanning “gobuster” should I find something interesting in the catalogs?

I reread the topic, how do you manage to find the API?
Are you adding the key that was found on the admin page somewhere?
Guys, what are you doing that “ReconSpider” shows it to you?
What is the secret of API search, after you have found the last subdomain and it remains only to scan it with the application?