TryHackMe: Sublist3r Writeup

This room intends to teach us how to find subdomains with Sublist3r. This room can be accessed using this link: https://tryhackme.com/room/rpsublist3r

Task 1: Intro

1. You can find Sublist3r here! We’ll install this in the next task. Answer: No answer needed.

Task 2: Installation

1. First, let’s change to our opt directory: cd /opt. Answer: No answer needed
2. Next, let’s clone the Sublist3r repository into opt: git clone https://github.com/aboul3la/Sublist3r.git. Answer: No answer needed
3. Now let’s move into the Sublist3r directory we’ve just created: cd /opt/Sublist3r. Answer: No answer needed
4. Finally, let’s install the requirements for running Sublist3r: pip3 install -r requirements.txt. Answer: No answer needed

Task 3: Switchboard

1. What switch can we use to set our target domain to perform recon on? Answer: -d
2. How about setting which engines we’ll use for searching? (i.e. google, bing, etc). Answer: -e
3. Saving our output is important both so we don’t have to run recon again but also so we can return to our returns and review them at a later time. What switch do we use to define an output file? Answer: -o
4. Sublist3r can sometimes take some time to run but we can speed through up the use of threads. Which switch allows us to set the number of threads? Answer: -t
5. Last but not least, we can also bruteforce the domains for our target. This isn’t always the most useful, however, it can sometimes find a key domain that we might have missed. What switch allows us to enable brute forcing? Answer: -b

Task 4: Scans away!

1. Let’s run sublist3r now against nbc.com, a fairly large American news company. Run this now with the command: python3 sublist3r.py -d nbc.com -o sub-output-nbc.txt. Answer: No answer needed
2. Once that completes open up your results and take a look through them. Email domains are almost always interesting and typically have an email portal (usually Outlook) located at them. Which subdomain is likely the email portal? Answer: mail
3. Administrative control panels should never be exposed to the internet! Which subdomain is exposed that shouldn’t be? Answer: admin
4. Company blogs can sometimes reveal information about internal activities, which subdomain has the company blog at it? Answer: blog
5. Development sites are often vulnerable to information disclosure or full-blown attacks. Two developer sites are exposed, which one is associated directly with web development? Answer: dev-www
6. Customer and employee help desk portals can often reveal internal nomenclature and other potentially sensitive information, which dns record might be a helpdesk portal? Answer: help
7. Single sign-on is a feature commonly used in corporate domains, which dns record is directly associated with this feature? Include both parts of this subdomain separated by a period. Answer: ssologin.stg
8. One last one for fun. NBC produced a popular sitcom about typical office work environment, which dns record might be associated with this show? Answer: office-words

Follow me on Linkedin