recon_11 (virtual host brute)

View the exercise here: PentesterLab: Recon 11

OBJECTIVE

For this challenge, your goal is to brute a virtual host.

VIRTUAL HOST BRUTE FORCING

In this challenge, you need to brute force a virtual host by only manipulating the Host header. There is no DNS resolution setup for this host. Therefore you will need to target hackycorp.com and bruteforce the virtual host (that ends in .hackycorp.com).

SOLUTION

Without fuzzing yet, when we try to enter a random subdomain, we get the recon_07 flag, which is not the goal for recon_11.

curl https://hackycorp.com -H 'Host:random123.hackycorp.com'

So we will be using ffuf (Fuzz Faster U Fool), a fast and flexible web fuzzer designed for discovering hidden files, directories, and parameters on web servers. It automates brute-forcing tasks using wordlists, helping penetration testers and security researchers quickly identify potential security issues in web applications.

LogoGitHub - ffuf/ffuf: Fast web fuzzer written in GoGitHub

This is used to find valid virtual hosts or subdomains by fuzzing the Host header with values from a wordlist and filtering out responses that match a specific size.

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

  • -w /path/to/vhost/wordlist: Specifies the wordlist file that contains potential subdomain or vhost names to try. Each line in this file is used in place of FUZZ.

  • -u https://target: The base URL of the target web server where the fuzzing will take place.

  • -H "Host: FUZZ": This sets the Host header in the HTTP request to the value of each entry in the wordlist. FUZZ is a placeholder that gets replaced by each word from the wordlist.

  • -fs 4242: Filters out responses that have a content size of 4242 bytes. This is used to ignore "false positives" by not showing responses that match this size.

To filter recon_07 in the response:

ffuf -w /usr/share/wfuzz/wordlist/general/common.txt -u https://hackycorp.com -H "Host: FUZZ.hackycorp.com" -fr recon_07

  • -fr recon_07: Filters out responses that contain the string recon_07. This helps in ignoring responses that are not relevant to your fuzzing target.

We get admin & www.

We’ll curl the ones we fuzzed to get the recon_11 flag.

curl https://hackycorp.com -H 'Host: admin.hackycorp.com'

Previousrecon_10 (visual recon)Nextrecon_12 (load balance)

Last updated

Was this helpful?