# \[Day 3] OSINT

Today I am reviewing OSINT techniques used for enumerating a website. Here is a recap of the day: 

* What is OSINT, and what techniques can extract useful information against a website or target?
* Using dorks to find specific information on the Google search engine
* Extracting hidden directories through the Robots.txt file
* Domain owner information through WHOIS lookup
* Searching data from hacked databases
* Acquiring sensitive information from publicly available GitHub repositories

One powerful tool I have been learning about is Google Dorking and how much insecure data can be found just from a web crawler. Here is a great example of Google Dorking to find files in open directories. 

`intext:"chernobyl" intitle:"index.of" (wmv|mpg|avi|mp4|mkv|mov) -inurl:(jsp|pl|php|html|aspx|htm|cf|shtml)`

I want to break this down a bit. 

* intext: In the text of a page the word is present
* intitle: In the title of the page the word is present, included are the acceptable formats.
* inurl: The url uses these formats when returning results.

## Flags

Here is the website used to enumerate further and find flags: <https://github.com/muhammadthm/SantaGiftShop>

### What is the name of the Registrar for the domain santagift.shop?

namecheap inc

### Find the website's source code (repository) on [github.com](https://github.com/) and open the file containing sensitive credentials. Can you find the flag?

{THM\_OSINT\_WORKS}

### What is the name of the file containing passwords?

config.php

### What is the name of the QA server associated with the website?

qa.santagift.shop

### What is the DB\_PASSWORD that is being reused between the QA and PROD environments?

S\@nta2022