Information Gathering - Web Edition

Hey guys

I managed to get to the last question in the Skills Assement of the updated Information Gathering - Web Edition
" What is the API key the inlanefreight.htb developers will be changing too?"

I tried to use FinalRecon to enumerate the inlanefreight.htb in order to find the api key.

Does anyone has any hint?

I have the same problem, im only see the inlanefreight.htb

I tried searching for subdomains and so on but no luck.

Use FinalRecon to find more subdoamins and then to find robots.txt

Hey bro, i did it and i don’t get it, this is what i did:

python3 FinalRecon/ --full --url http://inlanefreight.htb:33423

What didn’t you get?

more subdoamins

And now find the robots.txt (:

Sorry man, but I don’t understand. I can only see the “inlanefreight.htb:33423” domain. I’ve tried ffuf and virtual host…

Go over the following process:

  1. add inlanefreight.htb to hosts
  2. gobuster vhost inlanefreight.htb and find the subdomain
  3. add the subdomain to hosts
  4. use finalrecon to see what you find
  5. use gobuster the next subdoamin
    and go on
    you will see the link to robots.txt from there.

If you are having more issues, DM me

Good luck


Try use ReconSpider for the second subdomain to find the API key for the developers.

I’m not finding anything with gobuster any other hints?

thi is the command i’m using gobuster vhost -u http://inlanefreight.htb:52951 -w /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --append-doma

Looks like the target has expired. I am able to retrieve the first subdomain with your command.

Yeah I’m not sure what happened but I kept trying and eventually got it lol… for anyone else stuck once you find the correct vhost re read the crawling section there’s a new tool that instantly finds the api key. The robots.txt is bait. Good luck dm or reply if you need more help

HTB changed the files names and the directories name in the new update of the pwnbox.
I urge you to check the path and the file names.
For example, see how they change the following path:
/usr/share/seclists/Discovery/DNS - see seclists

Best of luck

try dnsenum

After tryhard, i’m finish this module, this 's difficult for me. I have read and consulted many people’s instructions.
to be able to solve it, let’s add first target ip and vHost domain to /etc/hosts, brute force vhost to find new vhost, add it to /etc/hosts and do it again See if you can find anything new.
use crawing tools and reconnaise tools learned in the lesson applies to all domain, directory path found to find flag.
Finally, try hard and you will succeed

Morning, Everyone.

I managed to complete all the points on the assestment, except for the question

What is the API key in the hidden admin directory that you have discovered on the target system?

I would like to request a hint to solve it, I’ve already managed to get all the other questions but i could not get the API key based on the robots.txt file.

Edit: I tried to use Gobuster on the robots.txt admin domain, but still didnt got any answer.
Edit 2: Found it. Used gobuster with the common.txt

Find the subdomain and and “finalize” the recon :wink:

Hi @Jomomo05 ,can you kindly give a tip about this gobuster with common.txt you used?
I tried with gobuster or ffuf with this wordlist but no success (to look for subdomain or endpoint)
Is there a third subdomain or where to look for this admin URL ??

Assuming that you already found the robots.txt file, you have to use gobuster on dir mode using the URL of the disallowed domain AND the disallowed directory. As an example: .htb:12345/thisdirectory/