Read for Freee..ee.e

🐺Hunters,

I hope my write-ups are simple and easily understandable, even if you’re beginner they will be helpful in recon.

Introduction

As I am hunting on my primary target for a long time, I have rough idea of most of the subdomains of my target. One day, I decided to recon on dashboard based subdomains of my target and I got only two dashboard subdomains from subfinder:

dashboard.target.com
dashboard-staging.target.com

As I am just reconing on those dashboard, I didn’t even try to login with my user credentials. I move forward with Inspection of page on browser and didn’t get anything sensitive file or directory.

More Dashboard

I started with fuzzing of dashboard based subdomains with seclists DNS lists available on the internet:

ffuf -u https://dashboard-FUZZ.target.com/ -w subdomains.txt -mc 200
ffuf -u https://FUZZ-dashboard.target.com/ -w subdomains.txt -mc 200

After 15 minutes, I got hit with one dashboard subdomain which previously subfinder didn’t gives me.