recon_07 (vhost over TLS)

View the exercise here: PentesterLab: Recon 07

OBJECTIVE

For this challenge, your goal is to access the default virtual host ("vhost") over TLS.

DEFAULT VHOST OVER TLS

When accessing a new webserver, it often pays off to replace the hostname with the IP address or to provide a random Host header in the request. To do this, you can either modify the request in a web proxy or use:

curl -H "Host: ...."

This time you need to check the TLS version of the website to get the key

SOLUTION

This command performs a DNS lookup to retrieve the IP address associated with the domain hackycorp.com.

dig hackycorp.com

curl https://51.X.X.X/

curl is used to send HTTP requests to the given IP address. In this case, you're trying to access the site using its IP directly over TLS (https://). However, because the IP address does not match the hostname in the SSL certificate, this step is likely to fail with an SSL error.

curl https://51.X.X.X/ --insecure

This ignores SSL certificate verification and forces the connection.
--insecure allows curl to bypass SSL certificate validation. This is necessary because the certificate is tied to the domain name (hackycorp.com), not the IP address.
The request should succeed, but you won't get the default virtual host because it still assumes you're accessing via the IP address rather than the expected hostname.

curl https://51.X.X.X --insecure -v

-v flag enables verbose mode, showing you detailed information about the request, including SSL/TLS handshake details, headers, and response.

curl https://51.X.X.X --insecure -v -H 'Host: test'

some targets may allow us to access another version of the website, so it is important to check the behavior of an application when using a hostname that is not the one the application is expecting

Previousrecon_06 (vhost)Nextrecon_08 (alt name)

Last updated 9 months ago

Was this helpful?