L00 — Paper Trail
BRIEFING
specter0@a516e51a9bc0:~$ cat BRIEFING
MISSION: Paper Trail
====================
You are on contract to assess target-corp.local. Pre-engagement
recon only — NO active scanning of the target yet. Your job is
purely passive / OSINT-style intelligence gathering against
public-facing data the target has let slip.
Collect 8 distinct intel items AND declare which independent
sources you used to corroborate each one. Write them to
/tmp/intel.yaml in the format below, then run
/opt/verify-paper-trail.sh.
YAML fields required:
registrar: <current domain registrar>
registration_date: <original creation date, YYYY-MM-DD>
subdomains: [<two real subdomains>]
email_format: <canonical pattern, e.g. first.last@target-corp.local>
breach_credential:
user: <leaked email>
password: <leaked plaintext>
internal_host: <internal FQDN leaked publicly>
s3_bucket: <staging bucket discovered via CT>
cloud_provider: <primary IaaS provider>
sources: # which families backed each finding
registrar: [<family-1>, <family-2>]
registration_date: [<family-1>] # only one canonical path
subdomains: [<family-1>, <family-2>]
email_format: [<family-1>, <family-2>]
breach_credential: [<family-1>, <family-2>]
internal_host: [<family-1>, <family-2>]
s3_bucket: [<family-1>, <family-2>]
cloud_provider: [<family-1>, <family-2>]
Notes:
- "Source family" = a truly independent data source. Two queries
against the same engine count as ONE family.
- Allowed families: whois-current, whois-archive, hibp-2022,
hibp-2023, hibp-2024, ct-logs, github-mirror, web-recon,
ci-page, dns-direct.
- Submitting a documented decoy (e.g. the post-transfer date the
current WHOIS explicitly disclaims) trips a soft-rejection
canary. Read source notices before trusting their values.
REFERENCE READING (if you get stuck):
- bellingcat.com — open-source investigation methodology
- berkeleyprotocol.org / OHCHR Berkeley Protocol PDF — chain of custody
- osintcurious.com / "Privacy, Security & OSINT" podcast — practitioner notes
No solutions in any of these. Methodology only.
Ephemeral session — no persistent state.
whois-current
直接进行查询
specter0@93c3b0889a34:~$ whois target-corp.local
% IANA WHOIS server (simulated)
% for more information on IANA, visit http://www.iana.org
Domain Name: target-corp.local
Registry Domain ID: TGT-CORPREG-A8F2
Registrar WHOIS Server: whois.blockchainregistry.com
Registrar URL: http://www.blockchainregistry.com
Updated Date: 2024-07-15T09:23:11Z
Creation Date: 2024-07-15T09:23:11Z
Registrar Registration Expiration Date: 2026-07-15T09:23:11Z
Registrar: BlockchainRegistry Inc.
Registrar IANA ID: 9876
Registrar Abuse Contact Email: abuse@blockchainregistry.com
Registrar Abuse Contact Phone: +1.4155550199
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registry Registrant ID: REDACTED
Registrant Organization: target-corp
Registrant State/Province: DE
Registrant Country: US
Registrant Email: admin@target-corp.local
Name Server: NS1.BLOCKCHAINREGISTRY.COM
Name Server: NS2.BLOCKCHAINREGISTRY.COM
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System:
http://wdprs.internic.net/
>>> Last update of WHOIS database: 2026-04-24T12:00:00Z <<<
NOTICE: The creation date shown above reflects the most recent
transfer event. For the ORIGINAL registration date, query a
historical WHOIS archive — this registry does not persist pre-
transfer metadata.
dns-direct
查询 DNS
specter0@a516e51a9bc0:~$ dig ANY target-corp.local
; <<>> DiG 9.18.39-0ubuntu0.22.04.3-Ubuntu <<>> ANY target-corp.local
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26915
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;target-corp.local. IN ANY
;; ANSWER SECTION:
target-corp.local. 0 IN A 10.13.66.40
target-corp.local. 0 IN MX 10 aspmx.l.google.com.
;; ADDITIONAL SECTION:
aspmx.l.google.com. 0 IN A 10.13.66.40
;; Query time: 0 msec
;; SERVER: 10.13.66.20#53(10.13.66.20) (TCP)
;; WHEN: Sun May 03 09:44:11 UTC 2026
;; MSG SIZE rcvd: 112
web-recon
尝试使用域名进行访问
specter0@a516e51a9bc0:~$ curl -H "Host: target-corp.local" http://10.13.66.40
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>target-corp — Delivering tomorrow's infrastructure</title>
<meta name="description" content="target-corp delivers cloud-native infrastructure solutions for enterprise customers.">
<meta name="generator" content="corporate-static v4.1">
</head>
<body>
<header>
<h1>target-corp</h1>
<nav>
<a href="/">Home</a>
<a href="/team.html">Team</a>
<a href="/careers.html">Careers</a>
<a href="/press.html">Press</a>
</nav>
</header>
<main>
<section>
<h2>About us</h2>
<p>target-corp builds reliable distributed systems for Fortune 500 customers.
Founded in 2019, we are headquartered in Delaware with engineering in Austin.</p>
</section>
<section>
<h2>Products</h2>
<ul>
<li>Target Mesh — service-mesh for legacy workloads</li>
<li>Target Shield — managed WAF</li>
<li>Target Pipeline — CI/CD for hybrid estates</li>
</ul>
</section>
<section>
<h2>Contact</h2>
<p>All inquiries: <a href="mailto:contact@target-corp.local">contact@target-corp.local</a></p>
<p>Support: <a href="mailto:support@target-corp.local">support@target-corp.local</a></p>
</section>
</main>
<footer>
<p>© 2019–2026 target-corp · <a href="/robots.txt">robots</a></p>
</footer>
</body>
</html>
specter0@a516e51a9bc0:~$ curl -H "Host: target-corp.local" http://10.13.66.40/robots.txt
User-agent: *
Disallow: /staging/
Disallow: /internal/
Disallow: /.git/
# Dev + CI systems are hosted on their own subdomains per
# infrastructure policy. See public build logs at ci.target-corp.local.
枚举一下各个页面
specter0@93c3b0889a34:~$ curl -H "Host: target-corp.local" http://10.13.66.40/team.html
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>target-corp — Leadership</title>
</head>
<body>
<header><h1>target-corp · Team</h1>
<nav><a href="/">Home</a> <a href="/team.html">Team</a> <a href="/careers.html">Careers</a> <a href="/press.html">Press</a></nav>
</header>
<main>
<h2>Leadership</h2>
<article>
<h3>Margaret Chen — CEO</h3>
<p><a href="mailto:margaret.chen@target-corp.local">margaret.chen@target-corp.local</a></p>
<p>Margaret founded target-corp in 2019 after a decade at FAANG infrastructure roles.</p>
</article>
<article>
<h3>David Okonkwo — CTO</h3>
<p><a href="mailto:david.okonkwo@target-corp.local">david.okonkwo@target-corp.local</a></p>
<p>David leads engineering across mesh, shield, and pipeline products.</p>
</article>
<article>
<h3>Priya Raghavan — VP Engineering</h3>
<p><a href="mailto:priya.raghavan@target-corp.local">priya.raghavan@target-corp.local</a></p>
<p>Priya joined 2020 from Google Cloud infrastructure.</p>
</article>
<article>
<h3>Alex Morales — Director of Platform</h3>
<p><a href="mailto:alex.morales@target-corp.local">alex.morales@target-corp.local</a></p>
<p>Alex owns the target-corp platform group.</p>
</article>
<article>
<h3>Jordan Sato — Head of People</h3>
<p><a href="mailto:jordan.sato@target-corp.local">jordan.sato@target-corp.local</a></p>
<p>Jordan runs hiring, retention, and engineering culture programs.</p>
</article>
</main>
<footer><p>© target-corp</p></footer>
</body>
</html>
specter0@93c3b0889a34:~$ curl -H "Host: target-corp.local" http://10.13.66.40/careers.html
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>target-corp — Careers</title>
</head>
<body>
<header><h1>target-corp · Careers</h1>
<nav><a href="/">Home</a> <a href="/team.html">Team</a> <a href="/careers.html">Careers</a> <a href="/press.html">Press</a></nav>
</header>
<main>
<h2>Work with us</h2>
<p>All applications go through <a href="mailto:jobs@target-corp.local">jobs@target-corp.local</a>.</p>
<p>Reach any hiring manager directly using the standard corporate pattern: <strong>first.last@target-corp.local</strong>.</p>
<h2>Open roles</h2>
<article>
<h3>Senior Platform Engineer — Austin</h3>
<p>Report to Priya Raghavan.</p>
<p>Reach our hiring lead: <a href="mailto:recruiting.austin@target-corp.local">recruiting.austin@target-corp.local</a></p>
</article>
<article>
<h3>SRE — Remote (US)</h3>
<p>Report to Alex Morales.</p>
<p>Hiring manager: <a href="mailto:alex.morales@target-corp.local">alex.morales@target-corp.local</a></p>
</article>
<article>
<h3>Security Engineer — Austin</h3>
<p>Report to David Okonkwo.</p>
<p>Hiring contact: <a href="mailto:david.okonkwo@target-corp.local">david.okonkwo@target-corp.local</a></p>
</article>
<h2>Employee perks</h2>
<ul>
<li>Workspace on Google Workspace</li>
<li>Annual learning & certification stipend (up to $2k/year)</li>
<li>Remote-first for engineering roles</li>
</ul>
</main>
<footer><p>© target-corp · Reach HR via jordan.sato@target-corp.local</p></footer>
</body>
</html>
specter0@93c3b0889a34:~$ curl -H "Host: target-corp.local" http://10.13.66.40/press.html
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>target-corp — Press</title>
</head>
<body>
<header><h1>target-corp · Press</h1>
<nav><a href="/">Home</a> <a href="/team.html">Team</a> <a href="/careers.html">Careers</a> <a href="/press.html">Press</a></nav>
</header>
<main>
<h2>Press contacts</h2>
<p>For press inquiries email <a href="mailto:press@target-corp.local">press@target-corp.local</a>.</p>
<p>For executive interviews, reach the individual directly using <code>first.last@target-corp.local</code>.</p>
<h2>Recent mentions</h2>
<article>
<h3>TechCrunch — March 2024</h3>
<p>Quoted: David Okonkwo, CTO (david.okonkwo@target-corp.local). Covered target-corp's migration to a cloud-native platform.</p>
</article>
<article>
<h3>The Information — November 2023</h3>
<p>Quoted: Margaret Chen, CEO. Interview at margaret.chen@target-corp.local.</p>
</article>
<article>
<h3>SRE Weekly — 2023</h3>
<p>Case study from target-corp's Platform team (alex.morales@target-corp.local) on running a multi-region control plane.</p>
</article>
<h2>Brand assets</h2>
<p>Logo pack, photos, and official bios available at <a href="/press-kit.zip">/press-kit.zip</a>.</p>
</main>
<footer><p>© target-corp</p></footer>
</body>
</html>
那很有意思了,存在有其他domain
ci-page
specter0@a516e51a9bc0:~$ dig +short ci.target-corp.local
10.13.66.40
specter0@a516e51a9bc0:~$ curl -H "Host: ci.target-corp.local" http://10.13.66.40
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>target-corp CI</title>
</head>
<body>
<h1>target-corp · Continuous Integration</h1>
<p>Public status page for the target-corp CI pipeline.</p>
<h2>Build log archive</h2>
<ul>
<li><a href="/build-log.txt">build-log.txt</a> — most recent Platform build</li>
<li><a href="/build-log-mesh.txt">build-log-mesh.txt</a> — Target Mesh</li>
<li><a href="/build-log-shield.txt">build-log-shield.txt</a> — Target Shield</li>
</ul>
<h2>Policies</h2>
<p>Build logs are retained publicly for 30 days to comply with our open-source
transparency commitment. Internal hostnames and secret material are
scrubbed before publishing — report leaks to <a href="mailto:security@target-corp.local">security@target-corp.local</a>.</p>
</body>
</html>
于是乎查看日志文件
build-log.txt
==================================================================
target-corp Platform CI — Build #4812
Pipeline: platform/main @ 7f4a2e9c
Triggered: 2026-04-19T14:02:17Z by ci-bot (push)
Runner: buildbox01.corp.internal (linux/x86_64, 32-core)
==================================================================
[14:02:17] Cloning https://github.local/target-corp/platform.git ...
[14:02:19] Repository cloned (revision 7f4a2e9c)
[14:02:19] Submodules: none
[14:02:20] ---- stage: setup ----
[14:02:20] runner hostname: buildbox01.corp.internal
[14:02:20] runner kernel: 5.15.0-91-generic
[14:02:20] python: 3.11.7
[14:02:20] go: 1.22.1
[14:02:20] docker: 24.0.7
[14:02:21] ---- stage: lint ----
[14:02:21] $ golangci-lint run ./...
[14:02:34] Linting passed (123 files, 0 issues).
[14:02:34] ---- stage: unit tests ----
[14:02:34] $ go test -race ./...
[14:03:52] PASS: 482/482 tests
[14:03:52] coverage: 84.1% of statements
[14:03:53] ---- stage: integration tests ----
[14:03:53] Spinning up ephemeral dependencies ...
[14:03:55] - postgres (pg-14-alpine) on buildbox01.corp.internal:55432
[14:03:55] - redis (redis-7.2) on buildbox01.corp.internal:56379
[14:03:55] - s3 mock (minio) on buildbox01.corp.internal:59000
[14:04:01] $ go test -tags=integration ./...
[14:04:58] PASS: 61/61 integration tests
[14:04:59] ---- stage: container build ----
[14:04:59] $ docker build -t target-corp/platform:7f4a2e9c .
[14:05:41] Image built, size 148MB
[14:05:41] $ docker push target-corp/platform:7f4a2e9c
[14:05:58] Pushed to registry.corp.internal (mirror on buildbox01.corp.internal).
[14:05:59] ---- stage: artifact upload ----
[14:05:59] $ aws s3 cp dist/platform-7f4a2e9c.tgz s3://s3-staging/platform/ --region us-east-1
[14:06:03] upload: dist/platform-7f4a2e9c.tgz to s3://s3-staging/platform/platform-7f4a2e9c.tgz (92MB)
[14:06:04] ---- stage: deploy to dev ----
[14:06:04] $ kubectl --context=dev apply -f manifests/
[14:06:09] deployment.apps/platform configured
[14:06:09] ---- stage: smoke ----
[14:06:15] All smoke probes green.
[14:06:16] ==== BUILD #4812 PASSED ====
[14:06:16] Total wall clock: 3m 59s
[14:06:16] Artifacts:
[14:06:16] - s3://s3-staging/platform/platform-7f4a2e9c.tgz
[14:06:16] - registry.corp.internal/target-corp/platform:7f4a2e9c
[14:06:16] Contact on failure: alex.morales@target-corp.local
[14:06:16] Build host: buildbox01.corp.internal
还发现有 github.local
specter0@a516e51a9bc0:~$ dig @10.13.66.20 github.local
; <<>> DiG 9.18.39-0ubuntu0.22.04.3-Ubuntu <<>> @10.13.66.20 github.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; WARNING: .local is reserved for Multicast DNS
;; You are currently testing what happens when an mDNS query is leaked to DNS
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16797
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;github.local. IN A
;; ANSWER SECTION:
github.local. 0 IN A 10.13.66.70
;; Query time: 0 msec
;; SERVER: 10.13.66.20#53(10.13.66.20) (UDP)
;; WHEN: Sun May 03 09:58:53 UTC 2026
;; MSG SIZE rcvd: 57
进行枚举
specter0@a516e51a9bc0:~$ curl -H "Host: github.local" http://10.13.66.70
<html>
<head><title>Index of /</title></head>
<body>
<h1>Index of /</h1><hr><pre><a href="../">../</a>
<a href="target-corp/">target-corp/</a> 24-Apr-2026 22:22 -
</pre><hr></body>
</html>
specter0@a516e51a9bc0:~$ curl -H "Host: github.local" http://10.13.66.70/target-corp/platform/
<html>
<head><title>Index of /target-corp/platform/</title></head>
<body>
<h1>Index of /target-corp/platform/</h1><hr><pre><a href="../">../</a>
<a href="archive/">archive/</a> 25-Apr-2026 12:09 -
<a href="README.md">README.md</a> 26-Apr-2026 15:45 429
</pre><hr></body>
</html>
查看仓库的 README.md
# target-corp/platform
Public mirror of the target-corp Platform monorepo.
## Build / test
\`\`\`
make build
make test
\`\`\`
## CI
Builds run on buildbox01.corp.internal. Logs at http://ci.target-corp.local/.
## Maintainers
- Alex Morales (alex.morales@target-corp.local) — owner
- Priya Raghavan (priya.raghavan@target-corp.local) — reviewer
## Archive
Old config artefacts retained under `archive/` for audit purposes.
hibp
经过枚举,确认三个服务器的存在
specter0@93c3b0889a34:/tmp$ curl -s http://10.13.66.50/
{
"service": "hibp-2022",
"version": "1.0",
"usage": "POST /lookup with {\"email\": \"...\"} or {\"domain\": \"...\"}"
}
specter0@93c3b0889a34:/tmp$ curl -s http://10.13.66.51/
{
"service": "hibp-2023",
"version": "1.0",
"usage": "POST /lookup with {\"email\": \"...\"} or {\"domain\": \"...\"}"
}
specter0@93c3b0889a34:/tmp$ curl -s http://10.13.66.52/
{
"service": "hibp-2024",
"version": "1.0",
"usage": "POST /lookup with {\"email\": \"...\"} or {\"domain\": \"...\"}"
}
获取泄露数据
specter0@93c3b0889a34:/tmp$ curl -s -X POST -d '{"domain": "target-corp.local"}' http://10.13.66.50/lookup
{
"ok": true,
"year": "2022",
"query": {
"domain": "target-corp.local"
},
"hits": [
{
"user": "jordan.sato@target-corp.local",
"password_hash": "$2b$10$REDACTED",
"source": "linkedin-2016-reshare",
"verified": true,
"note": "hash only; plaintext unavailable"
},
{
"user": "margaret.chen@target-corp.local",
"password_hash": "$2b$10$REDACTED",
"source": "dropbox-2012-reshare",
"verified": true,
"note": "hash only; plaintext unavailable"
}
]
}
specter0@93c3b0889a34:/tmp$ curl -s -X POST -d '{"domain": "target-corp.local"}' http://10.13.66.51/lookup
{
"ok": true,
"year": "2023",
"query": {
"domain": "target-corp.local"
},
"hits": [
{
"user": "alex.morales@target-corp.local",
"password": "Summer2024!",
"source": "atlasbreach-2023",
"verified": true,
"note": "plaintext confirmed \u2014 paste corroborated across 3 independent public pastes 2023-11..2024-02; password reuse pattern matches known AtlasBreach exfil shape"
},
{
"user": "david.okonkwo@target-corp.local",
"password_hash": "$argon2id$REDACTED",
"source": "atlasbreach-2023",
"verified": true,
"note": "hash only; no plaintext recovery"
},
{
"user": "priya.raghavan@target-corp.local",
"password_hash": "$argon2id$REDACTED",
"source": "atlasbreach-2023",
"verified": true,
"note": "hash only; no plaintext recovery"
}
]
}
specter0@93c3b0889a34:/tmp$ curl -s -X POST -d '{"domain": "target-corp.local"}' http://10.13.66.52/lookup
{
"ok": true,
"year": "2024",
"query": {
"domain": "target-corp.local"
},
"hits": [
{
"user": "alex.morales@target-corp.local",
"password": "alexm2020",
"source": "bloggerleak-aggregate",
"verified": false,
"note": "UNVERIFIED RUMOR \u2014 forwarded by untrusted aggregator account @bloggerleak on 2024-09-03; no original paste, no hash collision against any known 2024 corpus; aggregator has 3 known false-positive rumors in prior quarters"
},
{
"user": "hr-portal@target-corp.local",
"password": "WelcomePlatform2024",
"source": "shadowchronicle-2024",
"verified": true,
"note": "shared service account; plaintext confirmed via original paste 2024-06-12"
}
]
}
ct-logs
经过枚举,确定服务器所在位置
specter0@93c3b0889a34:/tmp$ curl -s "http://10.13.66.60/"
{
"service": "ct",
"version": "1.0",
"usage": "GET /search?domain=<domain>"
}
发起查询
specter0@93c3b0889a34:/tmp$ curl -s "http://10.13.66.60/search?domain=target-corp.local"
{
"ok": true,
"domain": "target-corp.local",
"certs": [
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "target-corp.com",
"name_value": "target-corp.com\nwww.target-corp.com",
"id": 4819234001,
"entry_timestamp": "2024-07-20T12:44:02.000Z",
"not_before": "2024-07-20T11:44:02.000Z",
"not_after": "2024-10-18T11:44:01.000Z",
"serial_number": "03a1b2c3d4e5f6"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "dev.target-corp.com",
"name_value": "dev.target-corp.com",
"id": 4819234002,
"entry_timestamp": "2024-08-02T09:10:55.000Z",
"not_before": "2024-08-02T08:10:55.000Z",
"not_after": "2024-10-31T08:10:54.000Z",
"serial_number": "03a1b2c3d4e5f7"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "ci.target-corp.com",
"name_value": "ci.target-corp.com",
"id": 4819234003,
"entry_timestamp": "2024-08-02T09:11:14.000Z",
"not_before": "2024-08-02T08:11:14.000Z",
"not_after": "2024-10-31T08:11:13.000Z",
"serial_number": "03a1b2c3d4e5f8"
},
{
"issuer_ca_id": 17156,
"issuer_name": "C=US, O=Amazon, OU=Server CA 1B, CN=Amazon",
"common_name": "*.s3-staging.target-corp.com",
"name_value": "*.s3-staging.target-corp.com",
"id": 4820118777,
"entry_timestamp": "2024-03-14T08:02:40.000Z",
"not_before": "2024-03-14T00:00:00.000Z",
"not_after": "2025-04-14T23:59:59.000Z",
"serial_number": "07c9a1b2d3e4f5"
},
{
"issuer_ca_id": 17156,
"issuer_name": "C=US, O=Amazon, OU=Server CA 1B, CN=Amazon",
"common_name": "*.cloudfront.net",
"name_value": "d123abc.cloudfront.net",
"id": 4820118999,
"entry_timestamp": "2024-03-14T10:21:08.000Z",
"not_before": "2024-03-14T00:00:00.000Z",
"not_after": "2025-04-14T23:59:59.000Z",
"serial_number": "07c9a1b2d3e4f6"
}
]
}
whois-archive
specter0@93c3b0889a34:/tmp$ echo "target-corp.local" | nc -vn 10.13.66.31 43
Connection to 10.13.66.31 43 port [tcp/*] succeeded!
% HistoricalWHOIS Archive — snapshot search
% Results are frozen at the indicated snapshot date.
%
% Note: this archive predates the 2024-07-15 registrar transfer.
% For current authoritative data, query the live registry.
[snapshot_date: 2024-06-30]
Domain Name: target-corp.local
Registrar: CorporateRegistry Services LLC
Registrar IANA ID: 1147
Updated Date: 2022-03-22T14:08:44Z
Creation Date: 2019-03-22T14:08:44Z
Registrar Registration Expiration Date: 2024-07-15T14:08:44Z
Registrant Organization: target-corp
Registrant State/Province: DE
Registrant Country: US
Registrant Email: admin@target-corp.local
Name Server: NS1.CORPREGSERV.NET
Name Server: NS2.CORPREGSERV.NET
DNSSEC: unsigned
[snapshot_date: 2019-04-02]
Domain Name: target-corp.local
Registrar: CorporateRegistry Services LLC
Creation Date: 2019-03-22T14:08:44Z
Registrant Organization: target-corp (then trading as Target Holdings LLC)
Registrant Country: US
>>> History: 11 snapshots between 2019-04-02 and 2024-06-30 <<<
ct-logs
specter0@93c3b0889a34:/tmp$ curl -s http://10.13.66.60/search?domain=target-corp.local
{
"ok": true,
"domain": "target-corp.local",
"certs": [
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "target-corp.com",
"name_value": "target-corp.com\nwww.target-corp.com",
"id": 4819234001,
"entry_timestamp": "2024-07-20T12:44:02.000Z",
"not_before": "2024-07-20T11:44:02.000Z",
"not_after": "2024-10-18T11:44:01.000Z",
"serial_number": "03a1b2c3d4e5f6"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "dev.target-corp.com",
"name_value": "dev.target-corp.com",
"id": 4819234002,
"entry_timestamp": "2024-08-02T09:10:55.000Z",
"not_before": "2024-08-02T08:10:55.000Z",
"not_after": "2024-10-31T08:10:54.000Z",
"serial_number": "03a1b2c3d4e5f7"
},
{
"issuer_ca_id": 2391,
"issuer_name": "C=US, O=Let's Encrypt, CN=R3",
"common_name": "ci.target-corp.com",
"name_value": "ci.target-corp.com",
"id": 4819234003,
"entry_timestamp": "2024-08-02T09:11:14.000Z",
"not_before": "2024-08-02T08:11:14.000Z",
"not_after": "2024-10-31T08:11:13.000Z",
"serial_number": "03a1b2c3d4e5f8"
},
{
"issuer_ca_id": 17156,
"issuer_name": "C=US, O=Amazon, OU=Server CA 1B, CN=Amazon",
"common_name": "*.s3-staging.target-corp.com",
"name_value": "*.s3-staging.target-corp.com",
"id": 4820118777,
"entry_timestamp": "2024-03-14T08:02:40.000Z",
"not_before": "2024-03-14T00:00:00.000Z",
"not_after": "2025-04-14T23:59:59.000Z",
"serial_number": "07c9a1b2d3e4f5"
},
{
"issuer_ca_id": 17156,
"issuer_name": "C=US, O=Amazon, OU=Server CA 1B, CN=Amazon",
"common_name": "*.cloudfront.net",
"name_value": "d123abc.cloudfront.net",
"id": 4820118999,
"entry_timestamp": "2024-03-14T10:21:08.000Z",
"not_before": "2024-03-14T00:00:00.000Z",
"not_after": "2025-04-14T23:59:59.000Z",
"serial_number": "07c9a1b2d3e4f6"
}
]
}
综上
.40是主站.50-.52是 HIBP 系列.60是 CT 系列.70是 GitHub 镜像
通过 dns 反向查询,获取当前内网结构
10.13.66.30 -> whois.local.
10.13.66.31 -> whois.historical.local.
10.13.66.40 -> target-corp.local.
10.13.66.50 -> hibp-2022.local.
10.13.66.51 -> hibp-2023.local.
10.13.66.52 -> hibp-2024.local.
10.13.66.60 -> ct-logs.local.
10.13.66.70 -> github.local.
借此,构建出来最终的答案
registrar: BlockchainRegistry Inc.
registration_date: "2019-03-22"
subdomains:
- ci.target-corp.local
- dev.target-corp.local
email_format: first.last@target-corp.local
breach_credential:
user: alex.morales@target-corp.local
password: Summer2024!
internal_host: buildbox01.corp.internal
s3_bucket: s3-staging
cloud_provider: AWS
sources:
registrar: [whois-current, whois-archive]
registration_date: [whois-archive]
subdomains: [ct-logs, web-recon]
email_format: [ci-page, web-recon]
breach_credential: [hibp-2023, hibp-2024]
internal_host: [ci-page, github-mirror]
s3_bucket: [ct-logs, ci-page]
cloud_provider: [ci-page, ct-logs]