Is anybody out there? Made a test text file with just “s3” in it and still nothing. I can visit s3.thetoppers.htb and it works though? I have watched tons of videos and it always seems that gc._msdcs.thetoppers.htb and s3.thetoppers.htb come up. I get :
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
I’ve sat here for the last hour or so working on subdomain enumeration for a different box, tried gobuster vhost and dns modes tirelessly with no luck, also had the problem with this box previously, anyways ended up getting it to work using wfuzz, just replace the wordlist and target from this code
I used version 3.4 and, according to help documentation, in the vhost mode you need to use the --append-domain option in order to work as intended. Then, the fully qualified domain to test will be s3.thetoppers.htb instead of s3 alone.
I can get it whit ffuf /opt/wordlists/SecLists/Discover/DNS/subdomains-top1million-5000.txt:FUZZ -u http://thetoppers.htb -H “HOST: FUZZ.thetoppers.htb” -mc 404
The problem is why the subdomain s3 return a 404 status code instead of 200 status code???
1.sudo vim /etc/hosts
Add a new record:
You can use the wordlist from /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
The wordlist which I used is created by crunch
$ crunch 2 2 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ -o 2_char_wordlist.txt