Skill Assessment
First add a vhost:
sudo sh -c "echo '94.237.61.84 inlanefreight.htb' >> /etc/hosts"
You must use sudo sh -c and quote the entire command. After this you can visit the website with http://inlanefreight.htb:35684
Question 1
What is the IANA ID of the registrar of the inlanefreight.com domain?
Ran whois:
whois inlanefreight.com
Output:
Registrar: Amazon Registrar, Inc.
Registrar IANA ID: 468
Question 2
What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.
Used curl:
curl -I http://inlanefreight.htb:35684
Output:
Server: nginx/1.26.1
Question 3
What is the API key in the hidden admin directory that you have discovered on the target system?
Used ffuf to enumerate directories:
ffuf -u http://inlanefreight.htb:35684 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -mc 200,403 -t 60 -H "Host: FUZZ.inlanefreight.htb" -ac
You have to use this wordlist as the hidden admin directory’s name is not in the smaller wordlists. -ac for auto calibration(=auto filtering).
Output:
web1337 [Status: 200, Size: 104, Words: 4, Lines: 2, Duration: 24ms]
Or you can use gobuster:
gobuster vhost -u http://inlanefreight.htb:35684 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -t 60 --append-domain
Added the newly found host:
sudo sh -c "echo '94.237.61.84 web1337.inlanefreight.htb' >> /etc/hosts"
Fuzz:
ffuf -u http://web1337.inlanefreight.htb:35684/FUZZ -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 60
Output:
index.html [Status: 200, Size: 104, Words: 4, Lines: 2, Duration: 24ms]
robots.txt [Status: 200, Size: 99, Words: 6, Lines: 6, Duration: 26ms]
Inspect the robots.txt:
└─$ curl http://web1337.inlanefreight.htb:35684/robots.txt
User-agent: *
Allow: /index.html
Allow: /index-2.html
Allow: /index-3.html
Disallow: /admin_h1dd3n
Connect to /admin_h1dd3n:
curl http://web1337.inlanefreight.htb:35684/admin_h1dd3n -I
HTTP/1.1 301 Moved Permanently
Server: nginx/1.26.1
Date: Tue, 31 Dec 2024 13:00:42 GMT
Content-Type: text/html
Content-Length: 169
Location: http://web1337.inlanefreight.htb/admin_h1dd3n/
Connection: keep-alive
Visited http://web1337.inlanefreight.htb:35684/admin_h1dd3n/ and got the key.
Question 4
After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., [email protected].
I used ReconSpider:
python3 ReconSpider.py http://inlanefreight.htb:35684
This didn’t work. I tried again with web1337 subdomain:
python3 ReconSpider.py http://web1337.inlanefreight.htb:35684
Go back to ffuf:
ffuf -u http://web1337.inlanefreight.htb:35684 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -mc 200,403 -t 60 -H "Host: FUZZ.web1337.inlanefreight.htb" -ac
I discovered the dev subdomain and added it as a new vhost:
sudo sh -c "echo '94.237.61.84 dev.web1337.inlanefreight.htb' >> /etc/hosts"
Used ReconSpider again:
python3 ReconSpider.py http://dev.web1337.inlanefreight.htb:35684
This worked. I inspected results.json and found the email.
Question 5
What is the API key the inlanefreight.htb developers will be changing too?
There’s the API key in the same results.json file.