Content Discovery

This guide contains the answer and steps necessary to get to them for the Content Discovery room.

Table of Contents

• What Is Content Discovery?
• Manual Discovery - Robots.txt
• Manual Discovery - Favicon
• Manual Discovery - Sitemap.xml
• Manual Discovery - HTTP Headers
• Manual Discovery - Framework Stack
• OSINT - Google Hacking / Dorking
• OSINT - Wappalyzer
• OSINT - Wayback Machine
• OSINT - GitHub
• OSINT - S3 Buckets
• Automated Discovery

What is Content Discovery?

1. What is the Content Discovery method that begins with M?

This answer can be found in the text.

Click for answer

Manually

1. What is the Content Discovery method that begins with A?

This answer can be found in the text.

Click for answer

Automated

1. What is the Content Discovery method that begins with O?

This answer can be found in the text.

Click for answer

OSINT

Manual Discovery - Robots.txt

This task gives more information about the robots text file.

1. What is the directory in the robots.txt that isn't allowed to be viewed by web crawlers?

Open the browser and navigate to the webpage's robots file. http://10.10.43.213/robots.txt

Click for answer

/staff-portal

Manual Discovery - Favicon

In this task we will be looking at the favicon to find out more about the underlying framework of the website.

We will use the following website as an example:

https://static-labs.tryhackme.cloud/

We look at the source of the page and note the link to the favicon. Then we can use curl to download the image and get its hash.

curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum

Click for answer

f276b19aabcb4ae8cda4d22625c6735f

Now we can navigate to the following website to compare the hash and find the framework:

https://wiki.owasp.org/index.php/OWASP_favicon_database

Click for answer

cgiirc

Manual Discovery - Sitemap.xml

In this task we will look at the sitemap of the demo website.

1. What is the path of the secret area that can be found in the sitemap.xml file?

Looking at the sitemap, we can see a secret page.

Click for answer

/s3cr3t-area

Manual Discovery - HTTP Headers

In this task we will look into more detail to HTTP headers.

1. What is the flag value from the X-FLAG header?

To get the header information we use the following command with verbose mode enabled:

curl http://10.10.43.213/ -v

Click for answer

THM{HEADER_FLAG}

Manual Discovery - Framework Stack

In this task we will look at the framework stack of the website.

1. What is the flag from the framework's administration portal?

On the page source of the website we find a link to the framework used.

Here we find a link to the framework documentation which reveals a hidden admin panel.

We can login to this panel with the default credentials if they haven't been changed.

Click for answer

THM{CHANGE_DEFAULT_CREDENTIALS}

OSINT - Google Hacking / Dorking

This room tels us more about google dorking and how it can be used to get better results.

1. What Google dork operator can be used to only show results from a particular site?

This answer can be found in the supplied text.

Click for answer

site:

OSINT - Wappalyzer

This task introduces the Wappalyzer tool.

1. What online tool can be used to identify what technologies a website is running?

Click for answer

Whappalyzer

OSINT - Wayback Machine

This task gives us more info about the Wayback Machine website and its activities.

1. What is the website address for the Wayback Machine?

The link to the service can be found in the text.

Click for answer

https://archive.org/web/

OSINT - GitHub

This task show us how we can use GitHub to get information about a certain company, website, etc.

1. What is Git?

The answer to this question can be found in the text.

Click for answer

Version Control System

OSINT - S3 Buckets

This task focusses on Amazon AWS buckets and their use.

1. What URL format do Amazon S3 buckets end in?

The answer to this question can be found in the text.

Click for answer

s3.amazonaws.com

Automated Discovery

This task tell us more about the various automated ways we can discovery hidden content.

We can use multiple tools to perform this automated discovery. Below are the commands used for three common enumeration tools.

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u http://10.10.69.221/FUZZ

dirb http://10.10.69.221 /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

gobuster dir -u http://10.10.69.221/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt

1. What is the name of the directory beginning "/mo...." that was discovered?

Click for answer

/monthly

1. What is the name of the log file that was discovered?

Click for answer

/development.log