Skills Assessment
Final labs in the module "Information Gathering - Web Edition"
November 4, 2025
•
September 30, 2025
•
Easy
Author
Hung Nguyen Tuong
Hung Nguyen TuongWhat is the IANA ID of the registrar of the inlanefreight.com domain?
Ta sử dụng whois:
┌──(hungnt㉿kali)-[~]
└─$ whois inlanefreight.com
Domain Name: INLANEFREIGHT.COM
Registry Domain ID: 2420436757_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.registrar.amazon
Registrar URL: http://registrar.amazon.com
Updated Date: 2025-07-01T22:45:43Z
Creation Date: 2019-08-05T22:43:09Z
Registry Expiry Date: 2026-08-05T22:43:09Z
Registrar: Amazon Registrar, Inc.
Registrar IANA ID: 468
Registrar Abuse Contact Email: trustandsafety@support.aws.com
Registrar Abuse Contact Phone: +1.2024422253
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Name Server: NS-1303.AWSDNS-34.ORG
Name Server: NS-1580.AWSDNS-05.CO.UK
Name Server: NS-161.AWSDNS-20.COM
Name Server: NS-671.AWSDNS-19.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/Thêm vHosts yêu cầu vào /etc/hosts:
94.237.122.241 inlanefreight.htbWhat http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.
Ta có thể sử dụng curl -I để lấy riêng header:
┌──(hungnt㉿kali)-[~]
└─$ curl -I http://inlanefreight.htb:53401/
HTTP/1.1 200 OK
Server: nginx/1.26.1
Date: Tue, 30 Sep 2025 15:37:53 GMT
Content-Type: text/html
Content-Length: 120
Last-Modified: Thu, 01 Aug 2024 09:35:23 GMT
Connection: keep-alive
ETag: "66ab56db-78"What is the API key in the hidden admin directory that you have discovered on the target system?
Subdomain Enumeration
Chúng ta scan subdomain bởi có vẻ domain hiện tại không có thông tin gì.
┌──(hungnt㉿kali)-[~]
└─$ gobuster vhost -u http://inlanefreight.htb:53401/ -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain -t 100
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://inlanefreight.htb:53401/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
[+] Append Domain: true
[+] Exclude Hostname Length: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
#www.inlanefreight.htb:53401 Status: 400 [Size: 157]
#mail.inlanefreight.htb:53401 Status: 400 [Size: 157]
#smtp.inlanefreight.htb:53401 Status: 400 [Size: 157]
#pop3.inlanefreight.htb:53401 Status: 400 [Size: 157]
web1337.inlanefreight.htb:53401 Status: 200 [Size: 104]
Progress: 110203 / 114442 (96.30%)[ERROR] error on word siteweb: timeout occurred during the request
Progress: 114442 / 114442 (100.00%)
===============================================================
Finished
===============================================================Chúng ta phát hiện một domain khác là web1337.inlanefreight.htb, sau đó tiếp tục thêm vào /etc/host:
94.237.122.241 inlanefreight.htb web1337.inlanefreight.htbDirectory Enumeration
Sau khi scan directory của các subdomain hiện có, chúng ta thấy rằng subdomain web1337.inlanefreight.htb có chứa file robots.txt:
┌──(hungnt㉿kali)-[~]
└─$ gobuster dir -u http://inlanefreight.htb:53401/ -w /usr/share/wordlists/dirb/big.txt -t 100
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://inlanefreight.htb:53401/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
Progress: 20469 / 20469 (100.00%)
===============================================================
Finished
===============================================================┌──(hungnt㉿kali)-[~]
└─$ gobuster dir -u http://web1337.inlanefreight.htb:53401/ -w /usr/share/wordlists/dirb/big.txt -t 100
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://web1337.inlanefreight.htb:53401/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/robots.txt (Status: 200) [Size: 99]
Progress: 20469 / 20469 (100.00%)
===============================================================
Finished
===============================================================/robots.txt
Ta phát hiện thư mục hidden dành cho admin.
API Key
Tại đây chứa API key cần tìm.
After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.
Ở tất cả các trang ta đã tìm được cho đến giờ đều không có bất kỳ đường link nào dẫn đến trang khác, nên crawl các trang này cũng không được gì.
Nested Subdomain Enumeration
Vậy ta sẽ thử scan subdomain của subdomain web1337.inlanefreight.htb:
┌──(hungnt㉿kali)-[~/Tools]
└─$ gobuster vhost -u http://web1337.inlanefreight.htb:43948/ -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain -t 100
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://web1337.inlanefreight.htb:43948/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
[+] User Agent: gobuster/3.8
[+] Timeout: 10s
[+] Append Domain: true
[+] Exclude Hostname Length: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
dev.web1337.inlanefreight.htb:43948 Status: 200 [Size: 123]
#www.web1337.inlanefreight.htb:43948 Status: 400 [Size: 157]
#mail.web1337.inlanefreight.htb:43948 Status: 400 [Size: 157]
Progress: 19966 / 19966 (100.00%)
===============================================================
Finished
===============================================================Và lần này chúng ta phát hiện ra một subdomain nữa đó là dev.web1337.inlanefreight.htb.
Crawling
Sau khi chúng ta sẽ dụng Reconspider để crawl trang này, ta phát hiện được emails và API key mới.
Email Address & New API Key
┌──(hungnt㉿kali)-[~/Tools]
└─$ py ReconSpider.py http://dev.web1337.inlanefreight.htb:43948
...
┌──(hungnt㉿kali)-[~/Tools]
└─$ cat results.json
{
"emails": [
"1337testing@inlanefreight.htb"
],
"links": [
"http://dev.web1337.inlanefreight.htb:43948/index-734.html",
"http://dev.web1337.inlanefreight.htb:43948/index-364.html",
"http://dev.web1337.inlanefreight.htb:43948/index-643.html",
"http://dev.web1337.inlanefreight.htb:43948/index-403.html",
"http://dev.web1337.inlanefreight.htb:43948/index-385.html",
"http://dev.web1337.inlanefreight.htb:43948/index-989.html",
"http://dev.web1337.inlanefreight.htb:43948/index-615.html",
"http://dev.web1337.inlanefreight.htb:43948/index-189.html",
"http://dev.web1337.inlanefreight.htb:43948/index-737.html",
"http://dev.web1337.inlanefreight.htb:43948/index-202.html",
"http://dev.web1337.inlanefreight.htb:43948/index-244.html",
"http://dev.web1337.inlanefreight.htb:43948/index-302.html",
"http://dev.web1337.inlanefreight.htb:43948/index-553.html",
"http://dev.web1337.inlanefreight.htb:43948/index-342.html",
"http://dev.web1337.inlanefreight.htb:43948/index-350.html",
"http://dev.web1337.inlanefreight.htb:43948/index-105.html",
"http://dev.web1337.inlanefreight.htb:43948/index-326.html",
"http://dev.web1337.inlanefreight.htb:43948/index-248.html",
"http://dev.web1337.inlanefreight.htb:43948/index-895.html",
"http://dev.web1337.inlanefreight.htb:43948/index-789.html",
"http://dev.web1337.inlanefreight.htb:43948/index-733.html",
"http://dev.web1337.inlanefreight.htb:43948/index-80.html",
"http://dev.web1337.inlanefreight.htb:43948/index-329.html",
"http://dev.web1337.inlanefreight.htb:43948/index-203.html",
"http://dev.web1337.inlanefreight.htb:43948/index-785.html",
"http://dev.web1337.inlanefreight.htb:43948/index-918.html",
"http://dev.web1337.inlanefreight.htb:43948/index-944.html",
"http://dev.web1337.inlanefreight.htb:43948/index-755.html",
"http://dev.web1337.inlanefreight.htb:43948/index-513.html",
"http://dev.web1337.inlanefreight.htb:43948/index-798.html",
"http://dev.web1337.inlanefreight.htb:43948/index-988.html",
"http://dev.web1337.inlanefreight.htb:43948/index-626.html",
"http://dev.web1337.inlanefreight.htb:43948/index-24.html",
"http://dev.web1337.inlanefreight.htb:43948/index-431.html",
"http://dev.web1337.inlanefreight.htb:43948/index-799.html",
"http://dev.web1337.inlanefreight.htb:43948/index-204.html",
"http://dev.web1337.inlanefreight.htb:43948/index-795.html",
"http://dev.web1337.inlanefreight.htb:43948/index-714.html",
"http://dev.web1337.inlanefreight.htb:43948/index-817.html",
"http://dev.web1337.inlanefreight.htb:43948/index-947.html",
"http://dev.web1337.inlanefreight.htb:43948/index-334.html",
"http://dev.web1337.inlanefreight.htb:43948/index-254.html",
"http://dev.web1337.inlanefreight.htb:43948/index-531.html",
"http://dev.web1337.inlanefreight.htb:43948/index-459.html",
"http://dev.web1337.inlanefreight.htb:43948/index-226.html",
"http://dev.web1337.inlanefreight.htb:43948/index-561.html",
"http://dev.web1337.inlanefreight.htb:43948/index-77.html",
"http://dev.web1337.inlanefreight.htb:43948/index-964.html",
"http://dev.web1337.inlanefreight.htb:43948/index-581.html",
"http://dev.web1337.inlanefreight.htb:43948/index-748.html",
"http://dev.web1337.inlanefreight.htb:43948/index-166.html",
"http://dev.web1337.inlanefreight.htb:43948/index-888.html",
"http://dev.web1337.inlanefreight.htb:43948/index-379.html",
"http://dev.web1337.inlanefreight.htb:43948/index-525.html",
"http://dev.web1337.inlanefreight.htb:43948/index-577.html",
"http://dev.web1337.inlanefreight.htb:43948/index-815.html",
"http://dev.web1337.inlanefreight.htb:43948/index-458.html",
"http://dev.web1337.inlanefreight.htb:43948/index-247.html",
"http://dev.web1337.inlanefreight.htb:43948/index-220.html",
"http://dev.web1337.inlanefreight.htb:43948/index-635.html",
"http://dev.web1337.inlanefreight.htb:43948/index-948.html",
"http://dev.web1337.inlanefreight.htb:43948/index-977.html",
"http://dev.web1337.inlanefreight.htb:43948/index-760.html",
"http://dev.web1337.inlanefreight.htb:43948/index-909.html",
"http://dev.web1337.inlanefreight.htb:43948/index-660.html",
"http://dev.web1337.inlanefreight.htb:43948/index-567.html",
"http://dev.web1337.inlanefreight.htb:43948/index-465.html",
"http://dev.web1337.inlanefreight.htb:43948/index-165.html",
"http://dev.web1337.inlanefreight.htb:43948/index-933.html",
"http://dev.web1337.inlanefreight.htb:43948/index-555.html",
"http://dev.web1337.inlanefreight.htb:43948/index-687.html",
"http://dev.web1337.inlanefreight.htb:43948/index-472.html",
"http://dev.web1337.inlanefreight.htb:43948/index-332.html",
"http://dev.web1337.inlanefreight.htb:43948/index-862.html",
"http://dev.web1337.inlanefreight.htb:43948/index-408.html",
"http://dev.web1337.inlanefreight.htb:43948/index-300.html",
"http://dev.web1337.inlanefreight.htb:43948/index-1000.html",
"http://dev.web1337.inlanefreight.htb:43948/index-384.html",
"http://dev.web1337.inlanefreight.htb:43948/index-574.html",
"http://dev.web1337.inlanefreight.htb:43948/index-631.html",
"http://dev.web1337.inlanefreight.htb:43948/index-769.html",
"http://dev.web1337.inlanefreight.htb:43948/index-949.html",
"http://dev.web1337.inlanefreight.htb:43948/index-641.html",
"http://dev.web1337.inlanefreight.htb:43948/index-114.html",
"http://dev.web1337.inlanefreight.htb:43948/index-134.html",
"http://dev.web1337.inlanefreight.htb:43948/index-224.html",
"http://dev.web1337.inlanefreight.htb:43948/index-463.html",
"http://dev.web1337.inlanefreight.htb:43948/index-925.html",
"http://dev.web1337.inlanefreight.htb:43948/index-585.html",
"http://dev.web1337.inlanefreight.htb:43948/index-292.html",
"http://dev.web1337.inlanefreight.htb:43948/index-335.html",
"http://dev.web1337.inlanefreight.htb:43948/index-291.html",
"http://dev.web1337.inlanefreight.htb:43948/index-939.html",
"http://dev.web1337.inlanefreight.htb:43948/index-437.html",
"http://dev.web1337.inlanefreight.htb:43948/index-807.html",
"http://dev.web1337.inlanefreight.htb:43948/index-938.html",
"http://dev.web1337.inlanefreight.htb:43948/index-727.html",
"http://dev.web1337.inlanefreight.htb:43948/index-504.html",
"http://dev.web1337.inlanefreight.htb:43948/index-728.html"
],
"external_files": [],
"js_files": [],
"form_fields": [],
"images": [],
"videos": [],
"audio": [],
"comments": [
"<!-- Remember to change the API key to ba988b835be4aa97d068941dc852ff33 -->"
]
}