HackTheBox: Information Gathering
Hi guys, today I’m going to show you step by step how to solve the Skills Assesment in the “Information Gathering” module of HackTheBox Academy.
NOTE: All the questions will be censored, but the step-by-step instructions and commands are there, so all you have to do is replicate them. However, you must try to understand the logic!
Questions
To resolve the issues, you need to add the IPV4 address to the /etc/hosts
file. So that we can work with the name and not just the address.
Q1. What is the IANA ID of the registrar of the inlanefreight.com domain?
We can get the IANA ID using the whois
command :
whois inlanefreight.com | grep "IANA ID"
Q2. What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.
In this question, we need to get information about the name of the software used by the Server in inlanefreight.htb
site. To do this, we'll use the curl
command followed by the -I
flag so that we only have the output of the HTTP response header
, our response will be in the Server:
header:
curl -I inlanefreight.htb:{PORT}
Q3. What is the API key in the hidden admin directory that you have discovered on the target system?
At this stage, we should increase our scope of exploration. To do this, we’ll use the “gobuster” tool to search for vhosts/subdomains:
The wordlist we’ll use is the subdomains-top1million-110000.txt
available at this link: wordlist
gobuster vhost -u http://inlanefreight.htb:{PORT} -w subdomains-top1million-110000.txt --append-domain
At the end of using the tool, we have the following output:
The tool returned a new exploration option:
webXXXX.inlanefreight.htb:{PORT}
Let’s add the new subdomain to the /etc/hosts
file, so we can work with names instead of numbers.
Now, with the discovery of the new subdomain, let’s start interacting with it in search of more information. The question asks for a hidden admin directory
, so we can search for information in the robots.txt
file to see if the website is denying access to any directory. We'll use the curl
command with the -i
flag to get both the Header
and Body
responses from the HTTP Response
:
curl -i webXXXX.inlanefreight.htb:{PORT}/robots.txt
When analyzing the output of the curl
command, we can see in the Body
that the /admin_XXXXX
directory is set to Disallow
, let's try to interact with this directory to understand if this is what we are really looking for, to do this, we will use the same curl
command with the -i
flag
curl -i webXXXX.inlanefreight.htb:{PORT}/admin_XXXXX/
By analyzing the Body of
the HTTP Response
, we will successfully gain access to the API key requested in the question.
NOTE: The next questions can be solved together.
Q4. After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.
Q5. What is the API key the inlanefreight.htb developers will be changing too?
Let’s do the fuzzing process again in search of new vhosts/subdomains, using the same wordlist:
gobuster vhost -u http://webXXXX.inlanefreight.htb:{PORT} -w subdomains-top1million-110000.txt --append-domain
When analyzing the result, we discovered a new subdomain:
XXX.webXXXX.inlanefreight.htb:{PORT}
Again, let’s add this new subdomain to the /etc/hosts
file, so we can work with the name and not the number:
We’ll be using a Recon tool recommended by HackTheBox itself, which can be found at the following link: ReconSpider
To be able to use the tool, you need to follow these steps:
1. pip3 install scrapy
2. wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip unzip ReconSpider.zip
3. unzip ReconSpider.zip
We will use the tool to carry out the crawling process on the subdomain we have found. The ReconSpider tool provides us with a results.json file:
python3 ReconSpider.py http://XXX.webXXXX.inlanefreight.htb:{PORT}
The results.json
file gives us a lot of information, but we're only looking for two:
{
"emails": [
"XXXXtesting@inlanefreight.htb"
]
...
...
"comments": [
"<!-- Remember to change the API key to XXXXXXXXXXXXXXXXXXXXX... -->"
]
}
Final
This is how HackTheBox
has taught us to solve these issues. However, the important thing is to understand what is being done so as not to depend on certain tools or methods.
Thanks, and see you in the next article!