🚩
Anthony Morell's Gitbook
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
  • 🖥️CTF Writeups
  • 🟦TryHackMe
    • THM Overview
      • Reverse Engineering
      • Game Server
      • Obscure Web Vulns
      • UltraTech
      • Linux Privilege Escalation
      • The Marketplace
      • RootMe
      • Agent Sudo
      • Startup
      • Lian_Yu
      • Advent of Cyber 2022
        • [Day 1] Frameworks
        • [Day 2] Log Analysis
        • [Day 3] OSINT
        • [Day 4] Scanning
        • [Day 5] Brute-Forcing
        • [Day 6] Email Analysis
        • [Day 7] CyberChef
        • [Day 8] Smart Contracts
        • [Day 9] Pivoting
        • [Day 10] Hack a game
        • [Day 11] Memory Forensics
        • [Day 12] Malware Analysis
        • [Day 13] Packet Analysis
        • [Day 14] Web Applications
        • [Day 15] Secure Coding
        • [Day 16] Secure Coding
        • [Day 17] Secure Coding
        • [Day 18] Sigma
        • [Day 19] Hardware Hacking
        • [Day 20] Firmware
        • [Day 21] MQTT
        • [Day 22] Attack Surface Reduction
        • [Day 23] Defence in Depth
        • [Day 24] The End
  • 🟫PentesterLab
    • PL Overview
      • Recon Badge
        • Badge Solutions
  • 🟩Hack The Box
    • HTB Overview
      • HTB Post
  • 🟧BurpSuite Academy
    • BSA Overview
      • GraphQL API vulnerabilities
        • Accessing private GraphQL posts
        • Accidental exposure of private GraphQL fields
        • Finding a hidden GraphQL endpoint
  • 🏁Competitions
    • Competition Overview
      • GM Bug Bounty Competition
Powered by GitBook
On this page
  1. TryHackMe
  2. THM Overview
  3. Advent of Cyber 2022

[Day 3] OSINT

December 3, 2022

Today I am reviewing OSINT techniques used for enumerating a website. Here is a recap of the day:

  • What is OSINT, and what techniques can extract useful information against a website or target?

  • Using dorks to find specific information on the Google search engine

  • Extracting hidden directories through the Robots.txt file

  • Domain owner information through WHOIS lookup

  • Searching data from hacked databases

  • Acquiring sensitive information from publicly available GitHub repositories

One powerful tool I have been learning about is Google Dorking and how much insecure data can be found just from a web crawler. Here is a great example of Google Dorking to find files in open directories.

intext:"chernobyl" intitle:"index.of" (wmv|mpg|avi|mp4|mkv|mov) -inurl:(jsp|pl|php|html|aspx|htm|cf|shtml)

I want to break this down a bit.

  • intext: In the text of a page the word is present

  • intitle: In the title of the page the word is present, included are the acceptable formats.

  • inurl: The url uses these formats when returning results.

Flags

Here is the website used to enumerate further and find flags: https://github.com/muhammadthm/SantaGiftShop

What is the name of the Registrar for the domain santagift.shop?

namecheap inc

Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?

{THM_OSINT_WORKS}

What is the name of the file containing passwords?

config.php

What is the name of the QA server associated with the website?

qa.santagift.shop

What is the DB_PASSWORD that is being reused between the QA and PROD environments?

S@nta2022

Previous[Day 2] Log AnalysisNext[Day 4] Scanning

Last updated 2 years ago

🟦
  • Flags
  • What is the name of the Registrar for the domain santagift.shop?
  • Find the website's source code (repository) on github.com and open the file containing sensitive credentials. Can you find the flag?
  • What is the name of the file containing passwords?
  • What is the name of the QA server associated with the website?
  • What is the DB_PASSWORD that is being reused between the QA and PROD environments?