Marial's Notes
  • Hello!
  • Pentesterlab Labs
    • Recon Badge
      • recon_00 (/robots.txt)
      • recon_01 (404 pages)
      • recon_02 (/.well-known/security.txt)
      • recon_03 (directory listing)
      • recon_04 (/admin)
      • recon_05 (wfuzz)
      • recon_06 (vhost)
      • recon_07 (vhost over TLS)
      • recon_08 (alt name)
      • recon_09 (header)
      • recon_10 (visual recon)
      • recon_11 (virtual host brute)
      • recon_12 (load balance)
      • recon_13 (TXT)
      • recon_14 (zone transfer)
      • recon_15 (int zone transfer)
      • recon_16 (bind version)
      • recon_17 (dev name)
      • recon_18 (public repos)
      • recon_19 (find email)
      • recon_20 (check branches 1)
      • recon_21 (check branches 2)
      • recon_22 (deleted file)
      • recon_23 (commit message)
      • recon_24 (assets)
      • recon_25 (S3)
      • recon_26 (JS)
  • TryHackMe Rooms
    • Basic Pentesting
    • EasyPeasy
    • Kenobi
    • Vulnversity
Powered by GitBook
On this page
  • OBJECTIVE
  • FUZZING DIRECTORIES
  • SOLUTION

Was this helpful?

  1. Pentesterlab Labs
  2. Recon Badge

recon_06 (vhost)

Previousrecon_05 (wfuzz)Nextrecon_07 (vhost over TLS)

Last updated 7 months ago

Was this helpful?

View the exercise here:

OBJECTIVE

For this challenge, your goal is to access the default virtual host ("vhost").

FUZZING DIRECTORIES

When accessing a new webserver, it often pays off to replace the hostname with the IP address or to provide a random Host header in the request. To do this, you can either modify the request in a web proxy or use:

curl -H "Host: ...."

SOLUTION

Solution #1:

Do DNS resolution to get IP.

dig (Domain Information Groper) is used to query DNS servers. This command will return details such as the A record (the IP address of hackycorp.com), which you’ll use in later steps.

dig hackycorp.com

Connect the client to the IP address: 

curl http://51.X.X.X/ -v

  • The command makes a request to the IP address and shows you the entire process, including the HTTP headers and the response from the server. This helps you see how the server reacts, providing information that could lead to finding the key or solution for the challenge.

Solution #2:

Access the IP on a browser to get the flag.

Additional Notes:

curl http://hackycorp.com/ -v

  • If we just use the URL, not the IP, we only get html response because we are accessing the website itself.

  • The host header is different.

Additional Notes (cont.):

But if we add a header, we'll get the flag:

curl http://hackycorp.com/ -v -H "Host: test"

  • -v verbose option

  • -H to add header

PentesterLab: Recon 06