Skills Assessment - Information Gathering - Web Edition

TARGET:
94.237.122.36:36729

vHosts needed for these questions:
inlanefreight.htb

Challenge 1

What is the IANA ID of the registrar of the inlanefreight.com domain?

1. Try a simple whois for inlanefreight.com

Attempted a whois command to see if I could get some info about the site but it is not successful:

┌──(myenv)─(macc㉿kaliLab)-[~/htb]
└─$ whois inlanefreight.htb:36729

Output:

   Domain Name: INLANEFREIGHT.COM
   Registry Domain ID: 2420436757_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.registrar.amazon
   Registrar URL: http://registrar.amazon.com
   Updated Date: 2025-07-01T22:45:43Z
   Creation Date: 2019-08-05T22:43:09Z
   Registry Expiry Date: 2026-08-05T22:43:09Z
   Registrar: Amazon Registrar, Inc.
   Registrar IANA ID: 468
   Registrar Abuse Contact Email: trustandsafety@support.aws.com
   Registrar Abuse Contact Phone: +1.2024422253
   Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: NS-1303.AWSDNS-34.ORG
   Name Server: NS-1580.AWSDNS-05.CO.UK
   Name Server: NS-161.AWSDNS-20.COM
   Name Server: NS-671.AWSDNS-19.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2025-10-28T16:41:45Z <<<
...

• Look at the line that mentions "Registrar IANA ID", there is our flag.

flag: 468

Challenge 2

What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.

1. Start by adding a hosts entry

Go edit your /etc/hosts file to add the required vHosts for this challenge:

94.237.122.36    inlanefreight.htb

Or alternatively use the one-liner:

sudo sh -c "echo '94.237.122.36 inlanefreight.htb' >> /etc/hosts"

2. curl inlanefreight.htb

Check if we can reach the target with a curl command:

┌──(myenv)─(macc㉿kaliLab)-[~/htb/FinalRecon]
└─$ curl -I inlanefreight.htb:36729

Output:

HTTP/1.1 200 OK
Server: nginx/1.26.1
Date: Tue, 28 Oct 2025 16:35:08 GMT
Content-Type: text/html
Content-Length: 120
Last-Modified: Thu, 01 Aug 2024 09:35:23 GMT
Connection: keep-alive
ETag: "66ab56db-78"
Accept-Ranges: bytes

• Look at the line: Server: nginx/1.26.1
  • It provides the name of the http server and its version.

flag: nginx

Challenge 3

What is the API key in the hidden admin directory that you have discovered on the target system?

Hint: It's formatted like a hash value

1. Try enumerating directories

Try using ffuf to enumerate directories:

┌──(macc㉿kaliLab)-[~/htb]
└─$ ffuf -u http://inlanefreight.htb:36729 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -mc 200,403 -t 60 -H "Host: FUZZ.inlanefreight.htb" -ac

Command break down:

• ffuf
  • The tool itself, a fast web fuzzer for directory, vhost, parameter, and content discovery.
• -u http://inlanefreight.htb:36729
  • The target URL template. FFUF will substitute the FUZZ token (if present) into this string. In this command the FUZZ placeholder is not in the URL path but in the Host header (see -H), while -u tells ffuf the host and port to send requests to.
• -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
  • The wordlist to use. Each line in that file will be injected where FUZZ appears (here: into the Host: header). That particular file is a common SecLists subdomains list used for subdomain / vhost discovery.
• -H "Host: FUZZ.inlanefreight.htb"
  • Adds a custom HTTP header. Here you set the Host: header to something.inlanefreight.htb by replacing FUZZ with each word from the wordlist — that’s exactly how virtual-host (vhost) or subdomain enumeration is commonly performed with ffuf. In other words: ffuf sends requests to the same IP:port, but each request pretends to be for a different subdomain by changing the Host header. This technique is widely used when DNS won’t resolve or when testing for virtual hosts on a shared webserver.
• -mc 200,403
  • “match codes” — filter results by HTTP status code(s). Only responses whose status codes are in the comma-separated list will be shown as hits. In this case you’ll keep responses with 200 (OK) and 403 (Forbidden). This helps focus on promising responses and ignore common noise like 404s. (There are related flags to exclude codes like -fc.) ffuf.hashnode.dev
• -t 60
  • Number of threads / concurrent requests to use (concurrency). 60 is fairly aggressive — it speeds up the scan but increases load on the target and your network. Tune lower if you see connection issues, if the service is slow, or if you need to be stealthier.
• -ac
  • Auto-calibrate (automatic filtering). ffuf will make a few initial requests to known “calibration” paths so it can detect and automatically filter out obvious false positives based on response size/wordcount patterns (for example, consistent error pages returned for many different FUZZ values). That helps reduce noise when servers return identical error pages for many bad hosts/paths. The auto-calibration works by probing a set of templates and using response metrics (size, wordcount, etc.) to suppress matches that look like the generic error page. This is especially useful in vhost enumeration to avoid many identical error responses.

Note:

• You have to use this wordlist as the hidden admin directory’s name is not in the smaller wordlists.

1.1. Or much more faster: try with gobuster

You can also use gobuter to enumerate subdomains/vhosts

┌──(macc㉿kaliLab)-[~/htb]
└─$ gobuster vhost -u http://inlanefreight.htb:36729 -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 60 --append-domain

• gobuster
  • The program (fast bruteforcer written in Go) — supports modes like dir, dns, vhost, s3, etc.
• vhost
  • Selects the virtual-host enumeration mode. Gobuster will attempt host-based enumeration (trying candidate hostnames) rather than directory or DNS modes.
• -u http://inlanefreight.htb:36729
  • The target URL (scheme + host/IP + port). Gobuster will send HTTP requests to this address for every candidate vhost it tests. Even though the request is sent to this IP:port, Gobuster will change the Host: header to the candidate vhost value so the server is queried as if the request was for that subdomain.
• -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
  • The wordlist to use. Each line will be tried as a candidate subdomain (e.g., admin, mail, web, etc.). Typical SecLists file used for subdomain/vhost brute forcing.
• -t 60
  • Threads / concurrency (number of simultaneous requests). 60 is high — faster scan but heavier load on the target and your network. If the target is slow or you must be polite, reduce this (common values 10–30).
• --append-domain
  • Tells Gobuster to append the base domain (the domain you’re targeting) to each word from the wordlist, producing word.domain.tld hostnames. Without this flag Gobuster would just use the raw word (e.g., admin) as the hostname, which produces wrong/meaningless hostnames and lots of false positives. Use --append-domain when you want word.example.com behavior. (You can also explicitly set the domain with a dedicated --domain option if you need to override what Gobuster infers.)

Output:

===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://inlanefreight.htb:36729
[+] Method:                    GET
[+] Threads:                   60
[+] Wordlist:                  /home/macc/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:                gobuster/3.8
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
#www.inlanefreight.htb:36729 Status: 400 [Size: 157]
#mail.inlanefreight.htb:36729 Status: 400 [Size: 157]
#smtp.inlanefreight.htb:36729 Status: 400 [Size: 157]
#pop3.inlanefreight.htb:36729 Status: 400 [Size: 157]
web1337.inlanefreight.htb:36729 Status: 200 [Size: 104]
Progress: 114442 / 114442 (100.00%)
===============================================================
Finished
===============================================================

• We have found the hidden admin subdomain: web1337.inlanefreight.htb

Add the newly found vhost:

sudo sh -c "echo '94.237.122.36 web1337.inlanefreight.htb' >> /etc/hosts"

2. Inspect the robots.txt file

See if there are any instructions for crawlers by inspecting robots.txt using curl, this is a way we can look for intentionally hidden directories.

┌──(macc㉿kaliLab)-[~/htb]
└─$ curl http://web1337.inlanefreight.htb:36729/robots.txt
User-agent: *
Allow: /index.html
Allow: /index-2.html
Allow: /index-3.html
Disallow: /admin_h1dd3n

• Here is where we can see the hidden admin directory: /admin_h1dd3n

4. Try connecting to /admin_h1dd3n

Try a curl command to http://web1337.inlanefreight.htb:36729/admin_h1dd3n

┌──(macc㉿kaliLab)-[~/htb]
└─$ curl -I http://web1337.inlanefreight.htb:36729/admin_h1dd3n

Output:

HTTP/1.1 301 Moved Permanently
Server: nginx/1.26.1
Date: Wed, 29 Oct 2025 18:55:16 GMT
Content-Type: text/html
Content-Length: 169
Location: http://web1337.inlanefreight.htb/admin_h1dd3n/
Connection: keep-alive

• Note this is a redirect header

So lets try connecting to the location listed there (added a / at the end)

┌──(macc㉿kaliLab)-[~/htb]
└─$ curl -I http://web1337.inlanefreight.htb:36729/admin_h1dd3n/

Output:

HTTP/1.1 200 OK
Server: nginx/1.26.1
Date: Wed, 29 Oct 2025 18:57:24 GMT
Content-Type: text/html
Content-Length: 255
Last-Modified: Thu, 01 Aug 2024 09:35:23 GMT
Connection: keep-alive
ETag: "66ab56db-ff"
Accept-Ranges: bytes

• Now we get that 200 response, we are ready to connect to it.

Do a simple curl command to request the contents of the /admin_h1dd3n/ file

┌──(macc㉿kaliLab)-[~/htb]
└─$ curl http://web1337.inlanefreight.htb:36729/admin_h1dd3n/

Output:

<!DOCTYPE html><html><head><title>web1337 admin</title></head><body><h1>Welcome to web1337 admin site</h1><h2>The admin panel is currently under maintenance, but the API is still accessible with the key e963d863ee0e82ba7080fbf558ca0d3f</h2></body></html>

• There is our key!

flag: e963d863ee0e82ba7080fbf558ca0d3f

Challenge 4

After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.

1. Try using ReconSpider directly

Using ReconSpider directly:

┌──(myenv)─(macc㉿kaliLab)-[~/htb/crawling]
└─$ python3 ReconSpider.py http://inlanefreight.htb:36729
...
2025-10-29 13:11:09 [scrapy.extensions.logstats] INFO: Crawled 0 pages (at 0 pages/min), scraped 0 items (at 0 items/min)
...

• This didn't work for me

Try it again with the web1337.inlanefreight.htb subdomain

┌──(myenv)─(macc㉿kaliLab)-[~/htb/crawling]
└─$ python3 ReconSpider.py http://web1337.inlanefreight.htb:36729

• Again this didn't work.

2. Go back to fuzzing subdomains

Since none of the domains we know of are working with ReconSpider, lets try to look for subdomains for the subdomain web1337.inlanefreight.htb, we may found some other subdomains under it that we can try with ReconSpider

┌──(myenv)─(macc㉿kaliLab)-[~/htb/crawling]
└─$ ffuf -u http://web1337.inlanefreight.htb:59776 -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -mc 200,403 -t 60 -H "Host: FUZZ.web1337.inlanefreight.htb" -ac

• Again this may take a while

Or alternatively we can use gobuster for a much faster vhost fuzzing

┌──(macc㉿kaliLab)-[~]
└─$ gobuster vhost -u http://web1337.inlanefreight.htb:36729 -w ~/SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 60 --append-domain
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://web1337.inlanefreight.htb:36729
[+] Method:                    GET
[+] Threads:                   60
[+] Wordlist:                  /home/macc/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:                gobuster/3.8
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
dev.web1337.inlanefreight.htb:36729 Status: 200 [Size: 123]
#www.web1337.inlanefreight.htb:36729 Status: 400 [Size: 157]
#mail.web1337.inlanefreight.htb:36729 Status: 400 [Size: 157]
Progress: 27665 / 114442 (24.17%)

• Straight away we found the subdomain dev.web1337.inlanefreight.htb

Add this vhost to our /etc/hosts file

sudo sh -c "echo '94.237.122.36 dev.web1337.inlanefreight.htb' >> /etc/hosts"

3. Try ReconSpider again

Now on this new subdomain lets try running ReconSpider:

┌──(myenv)─(macc㉿kaliLab)-[~/htb/crawling]
└─$ python3 ReconSpider.py http://dev.web1337.inlanefreight.htb:36729

• This seems to work, just wait for it to finish (it will take a while).

After the crawling has finished, check the results.json file to look for the email section

┌──(macc㉿kaliLab)-[~/htb/crawling]
└─$ cat results.json
{
    "emails": [
        "1337testing@inlanefreight.htb"
    ],
    "links": [
        "http://dev.web1337.inlanefreight.htb:59776/index-459.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-134.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-577.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-660.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-385.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-989.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-977.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-785.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-248.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-815.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-513.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-918.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-755.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-166.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-925.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-635.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-379.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-687.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-631.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-626.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-888.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-567.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-202.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-114.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-769.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-531.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-302.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-798.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-737.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-714.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-734.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-463.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-895.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-292.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-733.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-555.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-988.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-944.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-80.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-760.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-408.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-939.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-727.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-244.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-300.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-247.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-574.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-165.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-728.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-585.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-504.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-226.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-472.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-947.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-203.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-458.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-384.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-334.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-465.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-789.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-437.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-335.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-807.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-938.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-77.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-1000.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-615.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-933.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-431.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-326.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-561.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-964.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-641.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-254.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-581.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-105.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-525.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-643.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-342.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-350.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-799.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-224.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-795.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-24.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-862.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-332.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-329.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-189.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-949.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-291.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-364.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-748.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-403.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-817.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-948.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-204.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-553.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-909.html",
        "http://dev.web1337.inlanefreight.htb:59776/index-220.html"
    ],
    "external_files": [],
    "js_files": [],
    "form_fields": [],
    "images": [],
    "videos": [],
    "audio": [],
    "comments": [
        "<!-- Remember to change the API key to ba988b835be4aa97d068941dc852ff33 -->"
    ]
}

• There is the email we are looking for!

flag: 1337testing@inlanefreight.htb

Challenge 5

What is the API key the inlanefreight.htb developers will be changing too?

1. Check the crawling results

Carefully check the results.json file to look for anything that relates to an API key being changing to, maybe try looking at the comments section?

Note the comments section:

...
    "comments": [
        "<!-- Remember to change the API key to ba988b835be4aa97d068941dc852ff33 -->"
    ]
...

• This is what the challenge was talking about.

flag: ba988b835be4aa97d068941dc852ff33