Task 1:

- Tool used for this task is:

sublist3r -d hackthissite.org

- Output of this task are (Screenshots are provided):

www.hackthissite.org

ctf.hackthissite.org

h5ai.hackthissite.org

irc.hackthissite.org

ww.irc.hackthissite.org

lille.irc.hackthissite.org

wolf.irc.hackthissite.org

irc-ipv6.hackthissite.org

irc-v6.hackthissite.org

mail.hackthissite.org

mta-sts.hackthissite.org

status.hackthissite.org

status-new.hackthissite.org

Total Unique Subdomains Found: 17

I used Sublist3r to passively enumerate subdomains for hackthissite.org. Despite some
modules like DNSdumpster and VirusTotal failing due to rate limits or request blocking, the
tool still found 17 unique subdomains. These include subdomains related to mail, status, and
IRC services. As a penetration tester, identifying these is crucial—they may lead to different
servers, services, or applications that could have vulnerabilities.

Task 2:

using the (theHarvester) tool:

I used theHarvester, a passive reconnaissance tool, to collect OSINT on hackthissite.org. It gathered 13

interesting URLs, 38 IPs, 95 hosts, and an email address. It also identified the AS number as AS16276,
which can help determine the network and hosting provider.

These findings are critical in the reconnaissance phase of penetration testing—they give insight into
potential entry points, systems in use, and people who may be part of the organization.

these are the results (Screen shots are provided):

- ASNS (Autonomous System Number): AS16276

➤ Identifies the organization managing the IP block—can hint at hosting provider or geolocation.

- 13 Interesting URLs
➤ Can lead to web pages, services, or dev environments. These are useful for finding exposed pages or
endpoints.

- 38 IP Addresses
➤ Shows different servers/services hosting content for hackthissite.org—great for mapping their infrastructure.

- 1 Email Address ([email protected])

➤ Could be used in a social engineering simulation or to identify staff/contact people.

- 95 Hosts
➤ Likely represents discovered subdomains and associated hosts—broadens your attack surface as a pentester.
using the (whois) tool:

I used the whois command to retrieve domain registration information for hackthissite.org. The
domain is registered through eNom, LLC, and was originally created on August 10, 2003. It’s currently
set to expire on August 10, 2025, which shows that the domain is actively maintained.

Most of the registrant and administrative information is redacted for privacy (likely due to GDPR), but I
was still able to identify the registrar, name servers (c.ns.buddyns.com, f.ns.buddyns.com, etc.), and
the fact that DNSSEC is not used.

As a penetration tester, this information can help assess the trustworthiness and age of the site,
identify who manages it, and check for signs of abandonment or weak DNS practices

Screenshots:
Task 3:

1. BuddyNS: The domain uses BuddyNS for its DNS management. This tells me they rely on an
external DNS service provider rather than hosting DNS in-house. As a pentester, this helps me
understand the external services involved in their infrastructure, which may introduce third-
party risks.

2. h5ai (Web Interface): One of the subdomains includes h5ai, which is a modern web-based
file indexer. This might indicate public access to file directories or listings. As a pentester,
discovering this could lead me to exposed files, misconfigured permissions, or sensitive data.

I found two useful pieces of information:

First, the domain uses BuddyNS name servers, meaning they rely on third-party DNS services.
This expands the potential attack surface beyond just the website.

Second, one subdomain mentions h5ai, a file indexing service. If publicly accessible, it could
allow me to browse files and uncover sensitive directories.

These small details are important during recon—they help me understand the organization’s
setup and where vulnerabilities might exist.