Step 18: Information Gathering — Web Edition

Josh Gates
9 min readAug 14, 2022

--

Been a few days folks, apologies. Orientation at the new job, getting more apartment stuff… it finally feels cozy and homely!

Then I’ve also been trying some boxes. I came back to academy modules because a box I was trying I had SSH to earlier then came back to it and kept timing out… so here we are. I really want to try to complete a module then find a box/ctf where I have to use that skill (in addition to previous skills).

So far I’ve been using HTB/Academy but found this video from one of my new favourite YouTube hosts, STÖK. Highly recommend you check his stuff out and branch out from there. I think what I’m likely to do is continue doing HTB:Academy stuff but then branch off. If something in another site is old or ‘easy’ I’ll fly through it no problem. Here we go ladies and gents, strap in! I have a feeling a lot of this will be fairly familiar to me in that I’ve been watching a lot of bug bounty videos before I sleep. Eat, work, hack, work, repeat… right?

REMEMBER: SPOILER WARNING FOR TASKS I AM DOING THIS FOR ME NOT FOR YOU SO YOU HAVE BEEN WARNED

WHOIS

TCP-based transaction-oriented query/response protocol listening on TCP port 43 by default. Listed under RCF 3912. There are web app versions, but we will focus on command line for now.

Below is a snippet of a request:

WHOIS snippet for facebook.com

Task:

Easy peasy

DNS

Domain Name System (DNS) is like an index or phone book of the internet. DNS converts domain names to IPs that are actually used.

Nslookup & DIG

With Nslookup, we can search for domain name servers on the Internet and ask them for information about hosts and domains. Although the tool has two modes, interactive and non-interactive, we will mainly focus on the non-interactive module.

nslookup syntax

DIG gives us a little more information:

The next several sections are just various syntax examples. For the sake of length, I’m going to leave them out, but they’re there…

Task:

Which IP maps to paydiant.com:

Which subdomain is returned when querying the PTR record for 173.0.87.51?

What is the first mailserver returned when querying the MX records for paypal.com?

And on that note, it’s 22:45 or so here on a Sunday night and I’m up at 7am for work so I’m going to wind down with some Xenoblade Chronicles 2 (yes I know 3 is out… I’ll get to it. Tbh I wasn’t paying attention to Xenoblade 2 but figured some stuff out and LOVE it now. So 2 and 3 will tie me over until Pokemon comes out in November.

We’re back… a little late 10pm here now the next day. Long day in work and some mobile phone issues to deal with and the girlfriend is under the weather, but we do something every day! Even if it’s not blogged here, I’ve done something daily. Some more than others of course.

Passive Subdomain Enumeration

VirusTotal

VirusTotal is maintained by preserving DNS resolutions made.

Project Sonar

Rapid7 project here. Can also use CURL commands:

You get A LOT of results

Certificates

Use of SSL/TLS certificates is another interesting method of information gathering. Two main places to use:

To process in json format using curl:

AWildRavenclaw@htb[/htb]$ export TARGET=”facebook.com”
AWildRavenclaw@htb[/htb]$ curl -s “https://crt.sh/?q=${TARGET}&output=json" | jq -r ‘.[] | “\(.name_value)\n\(.common_name)”’ | sort -u > “${TARGET}_crt.sh.txt”

Automating Passive Subdomain Enumeration

The Harvester will be used with some certain modules.

Modules used in this course
Combine harvesterrrrr

Then use the following to extract and sort subdomains found:

cat *.json | jq -r ‘.hosts[]’ 2>/dev/null | cut -d’:’ -f 1 | sort -u > “${TARGET}_theHarvester.txt”

Then merge:

cat facebook.com_*.txt | sort -u > facebook.com_subdomains_passive.txt

and:

cat facebook.com_subdomains_passive.txt | wc -l

Passive Infrastructure Identification

https://sitereport.netcraft.com let’s us gather info without interacting with them… noiseless recon? Yes please!

Active Infrastructure Identification

Web Servers — HTTP Headers

cURL for HTTP header from a url

And some default cookie values often found in HTTP headers:

Default cookie values

Wafw00f

Web-App Firewall detection

Task:

What Apache version is running on app.inlanefreight.local?

Remember to add the domains to your /etc/hosts file as it mentions

Which CMS is used on app.inlanefreight.local? (Format: word)

whatweb command line

OR

Wappalyzer. Answer has the exclamation point… silly stuff.

On which operating system is the dev.inlanefreight.local webserver running on? (Format: word)
Visit the domain and use wappalyzer again… or whatweb. Honestly it’s easy.

Active Subdomain Enumeration

ZoneTransfers

https://hackertarget.com/zone-transfer/ thank me later. The section goes on how to do it manually… bleh no thanks. This is like in my teacher training when they make you do lesson powerpoints from scratch to ‘help you be a better teacher’ but it’s bullshit. Use hackertarget and move on with your life.

GoBuster

Subdomain enumeration tool.

AWildRavenclaw@htb[/htb]$ export TARGET=”facebook.com”
AWildRavenclaw@htb[/htb]$ export NS=”d.ns.facebook.com”
AWildRavenclaw@htb[/htb]$ export WORDLIST=”numbers.txt”
AWildRavenclaw@htb[/htb]$ gobuster dns -q -r “${NS}” -d “${TARGET}” -w “${WORDLIST}” -p ./patterns.txt -o “gobuster_${TARGET}.txt”
Found: lert-api-shv-01-sin6.facebook.com
Found: atlas-pp-shv-01-sin6.facebook.com
Found: atlas-pp-shv-02-sin6.facebook.com
Found: atlas-pp-shv-03-sin6.facebook.com
Found: lert-api-shv-03-sin6.facebook.com
Found: lert-api-shv-02-sin6.facebook.com
Found: lert-api-shv-04-sin6.facebook.com
Found: atlas-pp-shv-04-sin6.facebook.com

Task:

What is FQDN inlanefreight.htb?

Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

2; name servers is 2… google it.

TXT record part

Find and submit the contents of the TXT record as the answer.

Ok here… you have to do the above command…

My internet is being whacky with images so:

┌──(kali㉿R4v3n)-[~]
└─$ nslookup -query=TXT internal.inlanefreight.htb 10.129.110.175
Server: 10.129.110.175
Address: 10.129.110.175#53
internal.inlanefreight.htb text = “ZONE_TRANSFER{87o2z3cno7zsoiedznxoi82z3o47xzhoi}”

Literally go through the list from the first command above until you get the ‘flag’.

What is the FQDN of this IP 10.10.34.136?

Had a friend run the same command after a lot of troubleshooting. Identical /etc/hosts etc. but my output was garbage and his worked… ah well This also answers the rest

Count all the A stuff from zone transfers:

dig @10.129.178.67 NS axfr inlanefreight.htb
;; Warning, extra type option ; <<>> DiG 9.18.1–1-Debian <<>> @10.129.178.67 NS axfr inlanefreight.htb ; (1 server found) ;; global options: +cmd inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. admin.inlanefreight.htb. 604800 IN A 10.10.34.2 ftp.admin.inlanefreight.htb. 604800 IN A 10.10.34.2 careers.inlanefreight.htb. 604800 IN A 10.10.34.50 dc1.inlanefreight.htb. 604800 IN A 10.10.34.16 dc2.inlanefreight.htb. 604800 IN A 10.10.34.11 internal.inlanefreight.htb. 604800 IN A 127.0.0.1 admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.11 wsus.internal.inlanefreight.htb. 604800 IN A 10.10.1.240 ir.inlanefreight.htb. 604800 IN A 10.10.45.5 dev.ir.inlanefreight.htb. 604800 IN A 10.10.45.6 ns.inlanefreight.htb. 604800 IN A 127.0.0.1 resources.inlanefreight.htb. 604800 IN A 10.10.34.100 securemessaging.inlanefreight.htb. 604800 IN A 10.10.34.52 test1.inlanefreight.htb. 604800 IN A 10.10.34.101 us.inlanefreight.htb. 604800 IN A 10.10.200.5 cluster14.us.inlanefreight.htb. 604800 IN A 10.10.200.14 messagecenter.us.inlanefreight.htb. 604800 IN A 10.10.200.10 ww02.inlanefreight.htb. 604800 IN A 10.10.34.112 www1.inlanefreight.htb. 604800 IN A 10.10.34.111 inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 ;; Query time: 40 msec ;; SERVER: 10.129.178.67#53(10.129.178.67) (TCP) ;; WHEN: Fri Apr 22 12:04:55 CDT 2022 ;; XFR size: 22 records (messages 1, bytes 594)
[9:00 PM]dig @10.129.178.67 NS axfr internal.inlanefreight.htb ;; Warning, extra type option ; <<>> DiG 9.18.1–1-Debian <<>> @10.129.178.67 NS axfr internal.inlanefreight.htb ; (1 server found) ;; global options: +cmd internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 internal.inlanefreight.htb. 604800 IN TXT “ZONE_TRANSFER{87o2z3cno7zsoiedznxoi82z3o47xzhoi}” internal.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. dev.admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.2 panel.admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.2 printer.admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.3 dc3.internal.inlanefreight.htb. 604800 IN A 10.10.1.5 ns.internal.inlanefreight.htb. 604800 IN A 127.0.0.1 ns2.internal.inlanefreight.htb. 604800 IN A 10.10.34.136 ws1.internal.inlanefreight.htb. 604800 IN A 10.10.2.11 ws2.internal.inlanefreight.htb. 604800 IN A 10.10.3.12 internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 ;; Query time: 40 msec ;; SERVER: 10.129.178.67#53(10.129.178.67) (TCP) ;; WHEN: Fri Apr 22 12:05:07 CDT 2022 ;; XFR size: 12 records (messages 1, bytes 435)

… few days later and we’re back. Think it’s been three days. Been engrossed in Xenoblade Chronicles 2 (yes I know 3 is out, I’ll get to it). The new Hogwarts game has been delayed until February so I’m chilling. It’s Sunday midday here and I intend on doing my own thing studying all day so HERE WE GOOOOO…

Virtual Hosts

VHosts allow several websites to be hosted on the same server. You can configure them through IP-based or name-based virtual hosting.

IP-Based

For this type, a host can have multiple network interfaces. Multiple IP addresses, or interface aliases, can be configured on each network interface of a host. The servers or virtual servers running on the host can bind to one or more IP addresses. This means that different servers can be addressed under different IP addresses on this host. From the client’s point of view, the servers are independent of each other.

Name-Based

The distinction for which domain the service was requested is made at the application level. For example, several domain names, such as admin.inlanefreight.htb and backup.inlanefreight.htb, can refer to the same IP. Internally on the server, these are separated and distinguished using different folders. Using this example, on a Linux server, the vHost admin.inlanefreight.htb could point to the folder /var/www/admin. For backup.inlanefreight.htb the folder name would then be adapted and could look something like /var/www/backup.

Checking for name-based Vhosting

VHost Fuzzing

ffuf -w ./vhosts -u http://192.168.10.10 -H “HOST: FUZZ.randomtarget.com” -fs 612

Task:

Vhost fuzz flag 1 target ip:

Random note: as you can see I’m on pwnbox because my kali vm AGAIN giving me problems. I am going to finish this module and switch over to kali2017 or the new parrot. Been talking to people ;)

Flag 2:

Flag 3:

Flag 4:

Flag 5 (the subdomain that starts with ‘d’):

Yeah definitely finding kali 2017 or the new parrot OR as John Hammond uses… Ubuntu.

Next section talks about crawling… no questions, I’ve done it before in another module. SKILLZ TYME GUIZ

Skills Assessment:

1: What is the registrar IANA ID number for the githubapp.com domain?

2: What is the last mailserver when querying MX record for githubapp.com?

3: What webserver is ‘https://i.imgur.com’ running

Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word ‘elephants’ in the name?

Go through the steps… it’s there!

fastly-elephants.githubapp.com

Easy peasy. Funny how easy this was when your vm isn’t causing problems you don’t feel like spending hours diagnosing…

What will I do next… not sure but I’m probably gonna start it right now (in an hour or so…)

EDIT: Forgot I will do another module when I’ve found Kali 2017 or the new parrot VM OR Ubuntu

--

--