recon_11 (virtual host brute)
View the exercise here: PentesterLab: Recon 11
OBJECTIVE
For this challenge, your goal is to brute a virtual host.
VIRTUAL HOST BRUTE FORCING
In this challenge, you need to brute force a virtual host by only manipulating the Host header. There is no DNS resolution setup for this host. Therefore you will need to target hackycorp.com and bruteforce the virtual host (that ends in .hackycorp.com).
SOLUTION
Without fuzzing yet, when we try to enter a random subdomain, we get the recon_07 flag, which is not the goal for recon_11.
curl https://hackycorp.com -H 'Host:random123.hackycorp.com'

So we will be using ffuf (Fuzz Faster U Fool), a fast and flexible web fuzzer designed for discovering hidden files, directories, and parameters on web servers. It automates brute-forcing tasks using wordlists, helping penetration testers and security researchers quickly identify potential security issues in web applications.
This is used to find valid virtual hosts or subdomains by fuzzing the Host
header with values from a wordlist and filtering out responses that match a specific size.

We get admin
& www
.

We’ll curl the ones we fuzzed to get the recon_11 flag.
curl https://hackycorp.com -H 'Host: admin.hackycorp.com'

Last updated
Was this helpful?