HackTheBox: Information Gathering

Hi guys, today I’m going to show you step by step how to solve the Skills Assesment in the “Information Gathering” module of HackTheBox Academy.

NOTE: All the questions will be censored, but the step-by-step instructions and commands are there, so all you have to do is replicate them. However, you must try to understand the logic!

To resolve the issues, you need to add the IPV4 address to the /etc/hosts file. So that we can work with the name and not just the address.

Q1. What is the IANA ID of the registrar of the inlanefreight.com domain?

We can get the IANA ID using the whois command :

Q2. What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.

In this question, we need to get information about the name of the software used by the Server in inlanefreight.htb site. To do this, we'll use the curl command followed by the -I flag so that we only have the output of the HTTP response header, our response will be in the Server: header:

Q3. What is the API key in the hidden admin directory that you have discovered on the target system?

At this stage, we should increase our scope of exploration. To do this, we’ll use the “gobuster” tool to search for vhosts/subdomains:

The wordlist we’ll use is the subdomains-top1million-110000.txt available at this link: wordlist

At the end of using the tool, we have the following output:

The tool returned a new exploration option:

webXXXX.inlanefreight.htb:{PORT}

Let’s add the new subdomain to the /etc/hosts file, so we can work with names instead of numbers.

Now, with the discovery of the new subdomain, let’s start interacting with it in search of more information. The question asks for a hidden admin directory, so we can search for information in the robots.txt file to see if the website is denying access to any directory. We'll use the curl command with the -i flag to get both the Header and Body responses from the HTTP Response:

When analyzing the output of the curl command, we can see in the Body that the /admin_XXXXX directory is set to Disallow, let's try to interact with this directory to understand if this is what we are really looking for, to do this, we will use the same curl command with the -i flag

By analyzing the Body of the HTTP Response, we will successfully gain access to the API key requested in the question.

NOTE: The next questions can be solved together.

Q4. After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

Q5. What is the API key the inlanefreight.htb developers will be changing too?

Let’s do the fuzzing process again in search of new vhosts/subdomains, using the same wordlist:

When analyzing the result, we discovered a new subdomain:

XXX.webXXXX.inlanefreight.htb:{PORT}

Again, let’s add this new subdomain to the /etc/hosts file, so we can work with the name and not the number:

We’ll be using a Recon tool recommended by HackTheBox itself, which can be found at the following link: ReconSpider

To be able to use the tool, you need to follow these steps:

1. pip3 install scrapy
2. wget -O ReconSpider.zip https://academy.hackthebox.com/storage/modules/144/ReconSpider.v1.2.zip unzip ReconSpider.zip
3. unzip ReconSpider.zip

We will use the tool to carry out the crawling process on the subdomain we have found. The ReconSpider tool provides us with a results.json file:

The results.json file gives us a lot of information, but we're only looking for two:

This is how HackTheBox has taught us to solve these issues. However, the important thing is to understand what is being done so as not to depend on certain tools or methods.

Thanks, and see you in the next article!