Marial's Notes
  • Hello!
  • Pentesterlab Labs
    • Recon Badge
      • recon_00 (/robots.txt)
      • recon_01 (404 pages)
      • recon_02 (/.well-known/security.txt)
      • recon_03 (directory listing)
      • recon_04 (/admin)
      • recon_05 (wfuzz)
      • recon_06 (vhost)
      • recon_07 (vhost over TLS)
      • recon_08 (alt name)
      • recon_09 (header)
      • recon_10 (visual recon)
      • recon_11 (virtual host brute)
      • recon_12 (load balance)
      • recon_13 (TXT)
      • recon_14 (zone transfer)
      • recon_15 (int zone transfer)
      • recon_16 (bind version)
      • recon_17 (dev name)
      • recon_18 (public repos)
      • recon_19 (find email)
      • recon_20 (check branches 1)
      • recon_21 (check branches 2)
      • recon_22 (deleted file)
      • recon_23 (commit message)
      • recon_24 (assets)
      • recon_25 (S3)
      • recon_26 (JS)
  • TryHackMe Rooms
    • Basic Pentesting
    • EasyPeasy
    • Kenobi
    • Vulnversity
Powered by GitBook
On this page
  • OBJECTIVE
  • DEFAULT VHOST OVER TLS
  • SOLUTION

Was this helpful?

  1. Pentesterlab Labs
  2. Recon Badge

recon_07 (vhost over TLS)

Previousrecon_06 (vhost)Nextrecon_08 (alt name)

Last updated 7 months ago

Was this helpful?

View the exercise here:

OBJECTIVE

For this challenge, your goal is to access the default virtual host ("vhost") over TLS.

DEFAULT VHOST OVER TLS

When accessing a new webserver, it often pays off to replace the hostname with the IP address or to provide a random Host header in the request. To do this, you can either modify the request in a web proxy or use:

curl -H "Host: ...."

This time you need to check the TLS version of the website to get the key

SOLUTION

This command performs a DNS lookup to retrieve the IP address associated with the domain hackycorp.com.

dig hackycorp.com

curl https://51.X.X.X/

  • curl is used to send HTTP requests to the given IP address. In this case, you're trying to access the site using its IP directly over TLS (https://). However, because the IP address does not match the hostname in the SSL certificate, this step is likely to fail with an SSL error.

curl https://51.X.X.X/ --insecure

  • This ignores SSL certificate verification and forces the connection.

  • --insecure allows curl to bypass SSL certificate validation. This is necessary because the certificate is tied to the domain name (hackycorp.com), not the IP address.

  • The request should succeed, but you won't get the default virtual host because it still assumes you're accessing via the IP address rather than the expected hostname.

curl https://51.X.X.X --insecure -v

  • -v flag enables verbose mode, showing you detailed information about the request, including SSL/TLS handshake details, headers, and response.

curl https://51.X.X.X --insecure -v -H 'Host: test'

  • some targets may allow us to access another version of the website, so it is important to check the behavior of an application when using a hostname that is not the one the application is expecting

PentesterLab: Recon 07