Skip to main content

Content Discovery

Task 1: What Is Content Discovery?

The answers for these questions were in the reading:

Task 2: Manual Discovery - Robots.txt

I see the following at (IP)/robots.txt:

This is what the disallowed endpoint showed:

Task 3: Manual Discovery - Favicon

The THM written part mentioned the command to run: curl https://static-labs.tryhackme.cloud/sites/favicon/images/favicon.ico | md5sum

I run the command on my local machine:

I then ran a Control-F on https://wiki.owasp.org/index.php/OWASP_favicon_database, and I found this:

The favicon was from cgiirc. Another way to find this was to open the favicon:

If you can read the image, it spells out cgiirc.

Task 4: Manual Discovery - Sitemap.xml

We can look through the sitemap to see if there is anything interesting. I found the following:

This led me to this site:

Task 5: Manual Discovery - HTTP Headers

Running the command mentioned in the Task, I got the following:

Task 6: Manual Discovery - Framework Stack

I accessed the link mentioned in the Task, and got here:

I then went under documentation, and saw the following:

Using those credentials (on that endpoint) I was then able to get the flag:

Task 7: OSINT - Google Hacking / Dorking

You can answer the question by looking at the information provided on the page:

The answer was site:

Task 8: OSINT - Wappalyzer

The answer to this question was based on the reading in the Task: wappalyzer

Task 9: OSINT - Wayback Machine

Similar to the last question, the answer to this question was in the reading as well: https://archive.org/web/

Task 10: OSINT - GitHub

The answer was in the reading:

Task 11: OSINT - S3 Buckets

The answer was once again in the reading:

Task 12: Automated Discovery

I ended up using ffuf, since it seemed to be the fastest for me in terms of response: