[Day 3] OSINT

December 3, 2022

Today I am reviewing OSINT techniques used for enumerating a website. Here is a recap of the day:

• What is OSINT, and what techniques can extract useful information against a website or target?

• Using dorks to find specific information on the Google search engine

• Extracting hidden directories through the Robots.txt file

• Domain owner information through WHOIS lookup

• Searching data from hacked databases

• Acquiring sensitive information from publicly available GitHub repositories

One powerful tool I have been learning about is Google Dorking and how much insecure data can be found just from a web crawler. Here is a great example of Google Dorking to find files in open directories.

intext:"chernobyl" intitle:"index.of" (wmv|mpg|avi|mp4|mkv|mov) -inurl:(jsp|pl|php|html|aspx|htm|cf|shtml)

I want to break this down a bit.

• intext: In the text of a page the word is present

• intitle: In the title of the page the word is present, included are the acceptable formats.

• inurl: The url uses these formats when returning results.

Flags

Here is the website used to enumerate further and find flags: https://github.com/muhammadthm/SantaGiftShop

What is the name of the Registrar for the domain santagift.shop?

namecheap inc

Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

{THM_OSINT_WORKS}

What is the name of the file containing passwords?

config.php

What is the name of the QA server associated with the website?

qa.santagift.shop

What is the DB_PASSWORD that is being reused between the QA and PROD environments?

S@nta2022