1. Sub-Domains
1.1. FUZZ.vulntraining.co.uk
1.1.1. w ww.vulntraining.co.uk
1.1.1.1. [^FLAG^5F233E8A05F09CA99124A06E2C1FF21E^FLAG^] (page source)
1.1.1.2. Bannert Picture
1.1.1.2.1. https://vulntraining.s3.eu-west-2.amazonaws.com/assets/heading.jpg
1.1.2. billing.vulntraining.co.uk
1.1.2.1. /login
1.1.2.1.1. /login?logout=true
1.1.2.1.2. /login/FUZZ -> nothing
1.1.2.1.3. LOGIN PAGE
1.1.2.2. /FUZZ -> Just Numbers ->302
1.1.2.2.1. /2010/FUZZ - > nothing
1.1.2.2.2. /FUZZ -> nothing (after Login)
1.1.3. admin.vulntraining.co.uk
1.1.3.1. unauthorized
1.1.3.2. /FUZZ
1.1.3.2.1. /admin
1.1.3.2.2. /invoices
1.1.3.3. Use X-Token
1.1.3.3.1. /admin/users/FUZZ
1.1.3.3.2. /admin/
1.2. crt.sh
1.2.1. C867fc3a.vulntraining.co.uk
1.2.1.1. [^FLAG^7F38C568520EB31B3FC3ACE87C7560DB^FLAG^]
1.2.1.2. /FUZZ -> nothing
2. URLs
2.1. vulntraining.co.uk/FUZZ
2.1.1. /server
2.1.1.1. /server/login
2.1.1.1.1. [^FLAG^AB8DE736C07A33A87F437CD414140063^FLAG^]
2.1.1.1.2. /server/FUZZ -> nothing
2.1.1.1.3. /server/login/FUZZ -> nothing
2.1.1.1.4. LOGIN PAGE
2.1.1.2. HTTP: NGINX - Ver:1.16.1 - Ports: 80,443 PHP : Ver 7.2.24 - /var/run/php/php7.2-fpm.sock MySQL: Ver 8.0 - Admin: http://vulntraining.co.uk/php-my-s3cret-admin
2.1.1.2.1. FPM vulnerability CVE-2019-11043
2.1.1.2.2. NGINX
2.1.2. /php-my-s3cret-admin
2.1.2.1. /FUZZ -> index.php
2.1.2.2. LOGIN PAGE
2.1.2.2.1. [^FLAG^83D5073A0634F73A277582D70A5BBAAA^FLAG^]
2.1.2.3. /php-my-s3cret-admin
2.1.2.3.1. billing_users
2.1.3. /farmework (Forbidden)
2.1.3.1. /framework/FUZZ
2.1.3.1.1. /controllers
2.1.3.1.2. /models
2.1.3.1.3. routes
2.1.3.1.4. templates
2.1.4. /.git (forbidden)
2.1.4.1. /.git/FUZZ
2.1.4.1.1. /.git/config
2.1.4.1.2. /.git/index
2.2. robots.txt
2.2.1. /s3cr3T_d1r3ct0rY
2.2.1.1. [^FLAG^A3F0AAED20D5E3C37F807D848B6EEA48^FLAG^]
2.2.1.2. /s3cr3T_d1r3ct0rY/FUZZ
2.2.1.2.1. /s3cr3T_d1r3ct0rY/index.php/FUZZ
3. Other
3.1. dnsrecon
3.1.1. hostmaster.vulntraining.co.uk
3.2. filter urls
3.2.1. 10.10.34.35:80