Domain icons created by Good Ware - Flaticon

Solving The Suspicious Domain – Hack The Box challenge

by

CTF & Bug Bounty » Hack The Box » HTB Challenges » Solving The Suspicious Domain – HackTheBox challenge

The Suspicious Domain is a very easy Hack The Box challenge where we need to investigate on a suspicious domain name and answer multiple questions.

All the information is already provided in the Hack The Box target interface, so let’s see how it goes!

Click here to solve The Suspicious Domain on Hack The Box

Table of contents

Introduction

The scenario explains that the domain alexmorgan-reviews.net will be at the core of our investigations during this challenge. It’s a domain used duing a manipulation campaign that targeted a company named Techflow.

Opening the target website, we land on a “DomainScope” page with a page containing 9 questions to be answered from the information found on the other tabs:

DomainScope page from THe Suspicious Domain very easy challenge on Hack The Box

The questions are:

  1. (easy) What is the registrant’s email address from the WHOIS record?
  2. (easy) What is the complete phone number including country code?
  3. (medium) When was the domain created?
  4. (medium) What is the exact organization name from WHOIS?
  5. (easy) What city is listed in the registrant’s address?
  6. (hard) What is the domain’s transfer status?
  7. (medium) What company is being targeted?
  8. (easy) What email service is the threat actor using?
  9. (easy) How many GItHub Pages IPs are configured?

Let’s answer each of these questions in this writeup!

Question 1 – email address

“What is the registrant’s email address from the WHOIS record?”

In the WHOIS & Registration tab, we can easily find this data inside the “Registrant Contact” section:

Registrant Contact
─────────────────────────────────────────
Name: Alex Morgan
Organization: ******** ***** ****** ***
Street: 1247 Silicon Valley Blvd, Suite 200
City: *** ****
State/Province: California
Postal Code: *****
Country: US
Phone: +1-***-***-****
Email: ale*******@t**********.com

I had to hide to answer to this question as well as the answers to the other questions…

The “Email” field gives away the answer.

Question 2 – phone number

What is the complete phone number including country code?”

Still in the same section inside the WHOIS record, we quickly identify the phone number.

Refer to the previous WHOIS record to find the solution.

Question 3 – domain creation date

When was the domain created? (Format: YYYY-MM-DD)”

Again, in the WHOIS record, inside the “Domain Information” section, the creation date of the domain name is specified:

Domain Information
─────────────────────────────────────────
Domain Name: ALEXMORGAN-REVIEWS.NET
Registry Domain ID: D12345678-LNIC
Registrar WHOIS Server: whois.netregistry.com
Registrar URL: http://www.netregistry.com
Updated Date: 2024-02-15T10:30:00Z
Creation Date: ****-**-**T14:22:15Z

Question 4 – organization name

What is the exact organization name from WHOIS?”

Four questions in a row about the WHOIS data.

The organization full name is visible in the Registrant Contact section shared in the first question.

Question 5 – registrant’s city

What city is listed in the registrant’s address?

Again, the answer is written in plain text in the “Registrant Contact” section within the WHOIS data.

This is not a challenge at this point, or maybe a reading challenge.

Question 6 – domain’s transfer status

What is the domain’s transfer status?”

Interesting. The domain’s transfer status defines if the domain can be moved to another registrar company.

This information is visible inside the WHOIS data, in the first part (“Domain Information”):

Domain Information
─────────────────────────────────────────
Domain Name: ALEXMORGAN-REVIEWS.NET
[...]
Domain Status: clientTransfer***********
WHOIS Privacy: Disabled

Question 7 – targeted company

What company is being targeted?”

In the “Website Preview” tab, we can see that bad comments are written about a company named Techflow.

It was also quite literally written in the challenge scenario on Hack The Box.

Question 8 – email service

What email service is the threat actor using?”

Given the email address found earlier, we can extract the domain name (what comes after the ‘@’) and guess the email service used, which is te****il.

Question 9 – GitHub Pages IPs

How many GitHub Pages IPs are configured?

In the DNS records, we find multiple A records concerning GitHub Pages.

The answer is simply the number of these A records, which we can count on one hand.

And that was the last question of this challenge.

Final Thoughts on The Suspicious Domain from HTB

It was a very easy challenge, for beginners who need an introduction to DNS vocabulary and different types of information related to DNS.

A bit too easy as most of the questions did not require any thinking but simply a reading (or a Ctrl + F in the page).

But still a good challenge for beginners!

Read more Hack The Box CHALLENGES WRITEUPS on pentestguides.com!

Disclaimer

This article is provided for educational purposes only.

All techniques demonstrated were performed in a controlled lab environment.

Do not attempt to reproduce these actions on systems you do not own or have explicit authorization to test.

I do not encourage or take responsibility for any illegal use of the information provided.

Leave a Comment