recon_11 (virtual host brute)
View the exercise here: PentesterLab: Recon 11
OBJECTIVE
For this challenge, your goal is to brute a virtual host.
VIRTUAL HOST BRUTE FORCING
In this challenge, you need to brute force a virtual host by only manipulating the Host header. There is no DNS resolution setup for this host. Therefore you will need to target hackycorp.com and bruteforce the virtual host (that ends in .hackycorp.com).
SOLUTION
Without fuzzing yet, when we try to enter a random subdomain, we get the recon_07 flag, which is not the goal for recon_11.
curl https://hackycorp.com -H 'Host:random123.hackycorp.com'
So we will be using ffuf (Fuzz Faster U Fool), a fast and flexible web fuzzer designed for discovering hidden files, directories, and parameters on web servers. It automates brute-forcing tasks using wordlists, helping penetration testers and security researchers quickly identify potential security issues in web applications.
This is used to find valid virtual hosts or subdomains by fuzzing the Host header with values from a wordlist and filtering out responses that match a specific size.
-w /path/to/vhost/wordlist: Specifies the wordlist file that contains potential subdomain or vhost names to try. Each line in this file is used in place ofFUZZ.-u https://target: The base URL of the target web server where the fuzzing will take place.-H "Host: FUZZ": This sets theHostheader in the HTTP request to the value of each entry in the wordlist.FUZZis a placeholder that gets replaced by each word from the wordlist.-fs 4242: Filters out responses that have a content size of 4242 bytes. This is used to ignore "false positives" by not showing responses that match this size.
To filter recon_07 in the response:
-fr recon_07: Filters out responses that contain the stringrecon_07. This helps in ignoring responses that are not relevant to your fuzzing target.
We get admin & www.
We’ll curl the ones we fuzzed to get the recon_11 flag.
Last updated