Hello I am up to this point, could use a hint. Spoiler I know the parent company`s URL via one subdomain, which unfortunately in comparison to the similar "roastednready" subdomain is not vulnerable. I searched the parent company`s URL via sfuzzer and osintscan (google, bing, yahoo) and also tried fingerprinting the URL with the 10 subdomains used by roastednready - but no vulnerable subdomain came up
From memory, this one was straight-up Spoiler have you tried osintscanning the IP addresses? (i'm guessing this isn't a huge spoiler if you're up to this bit, but i figure you might have forgotten..?)
Yes, that's how I got from the initial URL to Spoiler the subdomain jobs.bates... - but this subdomain isn't vulnerable and no osint or sfuzzer gives me another subdomain for bates
Spoiler its a good tip that when you are connected to a new server you should run a sfuzzer to see what comes up - and you shouldn't always just sfuzzer for the domain you are connected to......
hmmm.... going from what i can recall.... Spoiler: ...if my memory is correct when connected to the rnr server an sfuzz of bb for a while gave a list of bb subdomains... hopefully someone else can confirm!
hope this one isn't too big a giveaway... Spoiler batesbeverages is a parent company... it's linked with another network. If you can connect to that other network, sfuzzer might be able to come up with something...