Open in app

Sign in

Write

Sign in

Subdomain Enumeration — TryHackMe Walkthrough

Mahammadali Guluyev
3 min readApr 13, 2024

--

Task 1:

Why do we need to find valid subdomains for a domain, and what is the purpose of subdomain enumeration? Our aim is to increase our attack scope and uncover more potential weaknesses. Our presentation will feature three subdomain enumeration approaches: Brute Force, OSINT (Open-Source Intelligence), and Virtual Host.

Use the machine to start it up and move on to the next task.

Question 1: What is a subdomain enumeration method beginning with B? Brute Force

Question 2:What is a subdomain enumeration method beginning with O?OSINT

Question 3:What is a subdomain enumeration method beginning with V?Virtual Host

Task 2:

To solve the question, visit crt.sh and look for the domain name tryhackme.com, identifying the entry that was logged in at 2020–12–26, and typing the domain name in the search box below to answer.

After entering the site, we type tryhackme.com in the search field and then click on the SEARCH button.

We are looking for the domain name that was logged into crt.sh on 26-12-2020

Question 1: What domain was logged on crt.sh at 2020–12–26?store.tryhackme.com

Task 3:

We will use the Google search feature -site:www.tryhackme.com site:*.tryhackme.com to uncover a subdomain of tryhackme.com and answer the following question.

Question 1:What is the TryHackMe subdomain beginning with S discovered using the above Google search? store.tryhackme.com

Task 4:

Let’s look at the results using the command dnsrecon -t brt -d acmeitsupport.thm

Question 1:What is the first subdomain found with the dnsrecon tool?api.acmeitsupport.thm

Task 5:

./sublist3r.py -d acmeitsupport.thm command will be used

Question 1:What is the first subdomain discovered by sublist3r?web55.acmeitsupport.thm

Task 6:

After starting our machine, we will be given the IP Address of the target. Using this IP address, we will scan the subdomains via ffuf. At the time of scanning, we will need the namelist.txt wordlist file.

We will use the command with the following syntax:

ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H “Host: FUZZ.acmeitsupport.thm” -u http://TARGET_IP_ADRESS -fs 2395

Sometimes the location of the namelist.txt file may be different, you can use the locate namelist.txt command to find this location.

Question 1:What is the first subdomain discovered? delta

Question 2:What is the second subdomain discovered? yellow

--

--

Mahammadali Guluyev
Mahammadali Guluyev

Written by Mahammadali Guluyev

0 Followers
2 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams