Step 18: Information Gathering — Web Edition
Been a few days folks, apologies. Orientation at the new job, getting more apartment stuff… it finally feels cozy and homely!
Then I’ve also been trying some boxes. I came back to academy modules because a box I was trying I had SSH to earlier then came back to it and kept timing out… so here we are. I really want to try to complete a module then find a box/ctf where I have to use that skill (in addition to previous skills).
So far I’ve been using HTB/Academy but found this video from one of my new favourite YouTube hosts, STÖK. Highly recommend you check his stuff out and branch out from there. I think what I’m likely to do is continue doing HTB:Academy stuff but then branch off. If something in another site is old or ‘easy’ I’ll fly through it no problem. Here we go ladies and gents, strap in! I have a feeling a lot of this will be fairly familiar to me in that I’ve been watching a lot of bug bounty videos before I sleep. Eat, work, hack, work, repeat… right?
REMEMBER: SPOILER WARNING FOR TASKS I AM DOING THIS FOR ME NOT FOR YOU SO YOU HAVE BEEN WARNED
WHOIS
TCP-based transaction-oriented query/response protocol listening on TCP port 43 by default. Listed under RCF 3912. There are web app versions, but we will focus on command line for now.
Below is a snippet of a request:
Task:
DNS
Domain Name System (DNS) is like an index or phone book of the internet. DNS converts domain names to IPs that are actually used.
Nslookup & DIG
With Nslookup, we can search for domain name servers on the Internet and ask them for information about hosts and domains. Although the tool has two modes, interactive and non-interactive, we will mainly focus on the non-interactive module.
DIG gives us a little more information:
The next several sections are just various syntax examples. For the sake of length, I’m going to leave them out, but they’re there…
Task:
Which IP maps to paydiant.com:
Which subdomain is returned when querying the PTR record for 173.0.87.51?
What is the first mailserver returned when querying the MX records for paypal.com?
And on that note, it’s 22:45 or so here on a Sunday night and I’m up at 7am for work so I’m going to wind down with some Xenoblade Chronicles 2 (yes I know 3 is out… I’ll get to it. Tbh I wasn’t paying attention to Xenoblade 2 but figured some stuff out and LOVE it now. So 2 and 3 will tie me over until Pokemon comes out in November.
We’re back… a little late 10pm here now the next day. Long day in work and some mobile phone issues to deal with and the girlfriend is under the weather, but we do something every day! Even if it’s not blogged here, I’ve done something daily. Some more than others of course.
Passive Subdomain Enumeration
VirusTotal
VirusTotal is maintained by preserving DNS resolutions made.
Project Sonar
Rapid7 project here. Can also use CURL commands:
Certificates
Use of SSL/TLS certificates is another interesting method of information gathering. Two main places to use:
To process in json format using curl:
AWildRavenclaw@htb[/htb]$ export TARGET=”facebook.com”
AWildRavenclaw@htb[/htb]$ curl -s “https://crt.sh/?q=${TARGET}&output=json" | jq -r ‘.[] | “\(.name_value)\n\(.common_name)”’ | sort -u > “${TARGET}_crt.sh.txt”
Automating Passive Subdomain Enumeration
The Harvester will be used with some certain modules.
Then use the following to extract and sort subdomains found:
cat *.json | jq -r ‘.hosts[]’ 2>/dev/null | cut -d’:’ -f 1 | sort -u > “${TARGET}_theHarvester.txt”
Then merge:
cat facebook.com_*.txt | sort -u > facebook.com_subdomains_passive.txt
and:
cat facebook.com_subdomains_passive.txt | wc -l
Passive Infrastructure Identification
https://sitereport.netcraft.com let’s us gather info without interacting with them… noiseless recon? Yes please!
Active Infrastructure Identification
Web Servers — HTTP Headers
And some default cookie values often found in HTTP headers:
Wafw00f
Task:
What Apache version is running on app.inlanefreight.local?
Which CMS is used on app.inlanefreight.local? (Format: word)
OR
On which operating system is the dev.inlanefreight.local webserver running on? (Format: word)
Visit the domain and use wappalyzer again… or whatweb. Honestly it’s easy.
Active Subdomain Enumeration
ZoneTransfers
https://hackertarget.com/zone-transfer/ thank me later. The section goes on how to do it manually… bleh no thanks. This is like in my teacher training when they make you do lesson powerpoints from scratch to ‘help you be a better teacher’ but it’s bullshit. Use hackertarget and move on with your life.
GoBuster
Subdomain enumeration tool.
AWildRavenclaw@htb[/htb]$ export TARGET=”facebook.com”
AWildRavenclaw@htb[/htb]$ export NS=”d.ns.facebook.com”
AWildRavenclaw@htb[/htb]$ export WORDLIST=”numbers.txt”
AWildRavenclaw@htb[/htb]$ gobuster dns -q -r “${NS}” -d “${TARGET}” -w “${WORDLIST}” -p ./patterns.txt -o “gobuster_${TARGET}.txt”Found: lert-api-shv-01-sin6.facebook.com
Found: atlas-pp-shv-01-sin6.facebook.com
Found: atlas-pp-shv-02-sin6.facebook.com
Found: atlas-pp-shv-03-sin6.facebook.com
Found: lert-api-shv-03-sin6.facebook.com
Found: lert-api-shv-02-sin6.facebook.com
Found: lert-api-shv-04-sin6.facebook.com
Found: atlas-pp-shv-04-sin6.facebook.com
Task:
What is FQDN inlanefreight.htb?
Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.
2; name servers is 2… google it.
Find and submit the contents of the TXT record as the answer.
Ok here… you have to do the above command…
My internet is being whacky with images so:
┌──(kali㉿R4v3n)-[~]
└─$ nslookup -query=TXT internal.inlanefreight.htb 10.129.110.175
Server: 10.129.110.175
Address: 10.129.110.175#53internal.inlanefreight.htb text = “ZONE_TRANSFER{87o2z3cno7zsoiedznxoi82z3o47xzhoi}”
Literally go through the list from the first command above until you get the ‘flag’.
What is the FQDN of this IP 10.10.34.136?
Count all the A stuff from zone transfers:
dig @10.129.178.67 NS axfr inlanefreight.htb
;; Warning, extra type option ; <<>> DiG 9.18.1–1-Debian <<>> @10.129.178.67 NS axfr inlanefreight.htb ; (1 server found) ;; global options: +cmd inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. admin.inlanefreight.htb. 604800 IN A 10.10.34.2 ftp.admin.inlanefreight.htb. 604800 IN A 10.10.34.2 careers.inlanefreight.htb. 604800 IN A 10.10.34.50 dc1.inlanefreight.htb. 604800 IN A 10.10.34.16 dc2.inlanefreight.htb. 604800 IN A 10.10.34.11 internal.inlanefreight.htb. 604800 IN A 127.0.0.1 admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.11 wsus.internal.inlanefreight.htb. 604800 IN A 10.10.1.240 ir.inlanefreight.htb. 604800 IN A 10.10.45.5 dev.ir.inlanefreight.htb. 604800 IN A 10.10.45.6 ns.inlanefreight.htb. 604800 IN A 127.0.0.1 resources.inlanefreight.htb. 604800 IN A 10.10.34.100 securemessaging.inlanefreight.htb. 604800 IN A 10.10.34.52 test1.inlanefreight.htb. 604800 IN A 10.10.34.101 us.inlanefreight.htb. 604800 IN A 10.10.200.5 cluster14.us.inlanefreight.htb. 604800 IN A 10.10.200.14 messagecenter.us.inlanefreight.htb. 604800 IN A 10.10.200.10 ww02.inlanefreight.htb. 604800 IN A 10.10.34.112 www1.inlanefreight.htb. 604800 IN A 10.10.34.111 inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 ;; Query time: 40 msec ;; SERVER: 10.129.178.67#53(10.129.178.67) (TCP) ;; WHEN: Fri Apr 22 12:04:55 CDT 2022 ;; XFR size: 22 records (messages 1, bytes 594)[9:00 PM]dig @10.129.178.67 NS axfr internal.inlanefreight.htb ;; Warning, extra type option ; <<>> DiG 9.18.1–1-Debian <<>> @10.129.178.67 NS axfr internal.inlanefreight.htb ; (1 server found) ;; global options: +cmd internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 internal.inlanefreight.htb. 604800 IN TXT “ZONE_TRANSFER{87o2z3cno7zsoiedznxoi82z3o47xzhoi}” internal.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb. dev.admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.2 panel.admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.2 printer.admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.3 dc3.internal.inlanefreight.htb. 604800 IN A 10.10.1.5 ns.internal.inlanefreight.htb. 604800 IN A 127.0.0.1 ns2.internal.inlanefreight.htb. 604800 IN A 10.10.34.136 ws1.internal.inlanefreight.htb. 604800 IN A 10.10.2.11 ws2.internal.inlanefreight.htb. 604800 IN A 10.10.3.12 internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800 ;; Query time: 40 msec ;; SERVER: 10.129.178.67#53(10.129.178.67) (TCP) ;; WHEN: Fri Apr 22 12:05:07 CDT 2022 ;; XFR size: 12 records (messages 1, bytes 435)
… few days later and we’re back. Think it’s been three days. Been engrossed in Xenoblade Chronicles 2 (yes I know 3 is out, I’ll get to it). The new Hogwarts game has been delayed until February so I’m chilling. It’s Sunday midday here and I intend on doing my own thing studying all day so HERE WE GOOOOO…
Virtual Hosts
VHosts allow several websites to be hosted on the same server. You can configure them through IP-based or name-based virtual hosting.
IP-Based
For this type, a host can have multiple network interfaces. Multiple IP addresses, or interface aliases, can be configured on each network interface of a host. The servers or virtual servers running on the host can bind to one or more IP addresses. This means that different servers can be addressed under different IP addresses on this host. From the client’s point of view, the servers are independent of each other.
Name-Based
The distinction for which domain the service was requested is made at the application level. For example, several domain names, such as admin.inlanefreight.htb and backup.inlanefreight.htb, can refer to the same IP. Internally on the server, these are separated and distinguished using different folders. Using this example, on a Linux server, the vHost admin.inlanefreight.htb could point to the folder /var/www/admin. For backup.inlanefreight.htb the folder name would then be adapted and could look something like /var/www/backup.
VHost Fuzzing
ffuf -w ./vhosts -u http://192.168.10.10 -H “HOST: FUZZ.randomtarget.com” -fs 612
Task:
Vhost fuzz flag 1 target ip:
Random note: as you can see I’m on pwnbox because my kali vm AGAIN giving me problems. I am going to finish this module and switch over to kali2017 or the new parrot. Been talking to people ;)
Flag 2:
Flag 3:
Flag 4:
Flag 5 (the subdomain that starts with ‘d’):
Yeah definitely finding kali 2017 or the new parrot OR as John Hammond uses… Ubuntu.
Next section talks about crawling… no questions, I’ve done it before in another module. SKILLZ TYME GUIZ
Skills Assessment:
1: What is the registrar IANA ID number for the githubapp.com domain?
2: What is the last mailserver when querying MX record for githubapp.com?
3: What webserver is ‘https://i.imgur.com’ running
Perform active subdomain enumeration against the target githubapp.com. Which subdomain has the word ‘elephants’ in the name?
Go through the steps… it’s there!
fastly-elephants.githubapp.com
Easy peasy. Funny how easy this was when your vm isn’t causing problems you don’t feel like spending hours diagnosing…
What will I do next… not sure but I’m probably gonna start it right now (in an hour or so…)
EDIT: Forgot I will do another module when I’ve found Kali 2017 or the new parrot VM OR Ubuntu