While exploring a recent intermediate Hack The Box (HTB) lab, I spent some time sharpening my approach to web-focused enumeration and testing. I didn’t complete the lab due to time constraints, but it offered a good opportunity to revisit core techniques and tools, particularly around DNS discovery, web recon, and handling file upload functionality.

This article will walk through a personal learning experience while working on an intermediate Hack The Box (HTB) lab. You’ll get a breakdown of:

• DNS enumeration using dig
• Subdomain mapping and modifying the /etc/hosts file
• Using Eyewitness to visually scan web pages
• Directory discovery with Gobuster
• Identifying and exploiting a file upload vulnerability
• A few key nmap commands used along the way

DNS Enumeration – Using dig To Uncover Hidden Gems

After spotting a target domain, I tested for zone transfer vulnerabilities. The following command pulled available DNS records:

dig axfr inlanefreight.local @10.129.229.147 | awk '{print $1}' | sed 's/\.$//' | grep -v ';' | sort -u > file2

This generated a clean list of subdomains. I mapped them locally by appending them to /etc/hosts:

while read -r subdomain; do echo "10.129.229.147 $subdomain"; done < file2 | sudo tee -a /etc/hosts > /dev/null

Being able to resolve these subdomains locally was helpful for both browser access and tooling later on.

Eyewitness: Visual Recon Made Easy

To quickly assess which subdomains hosted live content, I ran EyeWitness against the list:

eyewitness -f file2 -d EyeWitnessDB

This produced screenshots and basic metadata for each subdomain. It’s a fast way to get a sense of what’s running where, especially when juggling several potential web assets.

Gobuster: Digging Into Web Directories

Next, I targeted one of the more promising subdomains using Gobuster:

gobuster dir -u http://dev.inlanefreight.local -w /usr/share/wordlists/dirb/common.txt -x .php -t 300

This turned up some hidden paths and pages, including what appeared to be an upload endpoint.

Nmap for Initial Scanning

I started with a scan across the subnet to identify available services and potential targets. Here’s the basic nmap scan used:

nmap -sC -sV 10.10.110.0/24 --exclude 10.10.110.2

To dig deeper into web services, I ran a more aggressive scan with some useful HTTP-focused NSE scripts:

sudo nmap -A 10.10.110.0/24 --exclude 10.10.110.2 --script http-title,http-fetch,http-trace --script-args http.max-redirects=5 -oA 1st

This helped identify which hosts had HTTP services running and provided some insight into software versions and accessible titles.

Analysing Upload Functionality

I examined the upload feature using Burp Suite. The form looked basic but functional, and initial testing showed that it was performing minimal validation.

By intercepting the request and changing the file extension, I was able to upload a file with a .php extension disguised as a .pdf.php:

cp 7788778877887788.php 7788778877887788.pdf.php

The server accepted the upload, suggesting weak or no server-side validation of MIME type or extension. Although I didn’t get the chance to fully exploit the upload or gain shell access, this step confirmed the presence of a vulnerability worth pursuing further.