# Exploring the Domain

On visiting <http://dimension.worker.htb/#work> I see additional subdomain links for worker.htb . I can use curl and grep to parse all the subdomains, and also add these to /etc/hosts .<br>

To explain “-s” is to keep it silent so it will not show progress meters or errors, “-q” is to help create query sets. This option adds contents usually a name + value paiur to the end of the query part of provided URL

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2F9I2MiEcmzEkjv0gbN9ak%2Fimage.png?alt=media&#x26;token=dad1f35e-e5dc-45af-a11d-63ad94508111" alt=""><figcaption></figcaption></figure>

“-o” is for output to write to file to only grab what was grep’d

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2F9eTUvbtwcqgn9V05u4ZY%2Fimage.png?alt=media&#x26;token=31aeb192-8a65-4b7d-a5d8-8b075e8863a4" alt=""><figcaption></figcaption></figure>

Added http\:// now I only have a list of the domains.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FD9m1FCKlgxnmUxpnCdkn%2Fimage.png?alt=media&#x26;token=699439cf-97e6-4d61-b6c7-58e0d1e8be05" alt=""><figcaption></figcaption></figure>

Added | sed to make it easier to copy and pase the URLS as necessary.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FKYBL2bk9Es8Km3AVz6C1%2Fimage.png?alt=media&#x26;token=51c50cf7-9c23-441b-bad5-fdfff58425e1" alt=""><figcaption></figcaption></figure>

Now to double check the hosts file has been populated

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FK3fSiYfzDEF1vbhLO25x%2Fimage.png?alt=media&#x26;token=11608d08-72cf-4fcd-a7e0-7ce8dd6facd9" alt=""><figcaption></figcaption></figure>

There doesn't seem to be anything of interest on any of these sites.

The second commit within the logged looked interesting. So I used svn update -r 2 to bring the changes from the repository into our working directory. The revision (r) integers are incremented with each new commit to the repository.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FgKK2Q9EjMMLaH3cihh1T%2Fimage.png?alt=media&#x26;token=ac24601e-fd12-406b-97b4-2c7e315f0293" alt=""><figcaption></figcaption></figure>

From the command output above, we see that in this commit a file called moved.txt was deleted and a file named deploy.ps1 was added.

Looks like deploy.ps1 had some credentials for Nathen specifically.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FiRQtRL3cpmWi9Wd2jpul%2Fimage.png?alt=media&#x26;token=695d47fd-d00d-4295-a674-9ccf733bbd58" alt=""><figcaption></figcaption></figure>

The credentials don't work for Windows remote management, so i can instead look for any type of login functionality on the subdomains. The subdomain devops.worker.htb is configured to use basic authentication.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FNsNVG2lkaRKKPjDm3BfW%2Fimage.png?alt=media&#x26;token=98c733dd-26fb-4d77-8a9e-2d296dc137fb" alt=""><figcaption></figcaption></figure>

And I am in -

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FR6njPmMjjZfmKDdiioeG%2Fimage.png?alt=media&#x26;token=1c36c81f-2a52-4673-a001-6191f65810c3" alt=""><figcaption></figcaption></figure>