Marial's Notes
  • Hello!
  • Pentesterlab Labs
    • Recon Badge
      • recon_00 (/robots.txt)
      • recon_01 (404 pages)
      • recon_02 (/.well-known/security.txt)
      • recon_03 (directory listing)
      • recon_04 (/admin)
      • recon_05 (wfuzz)
      • recon_06 (vhost)
      • recon_07 (vhost over TLS)
      • recon_08 (alt name)
      • recon_09 (header)
      • recon_10 (visual recon)
      • recon_11 (virtual host brute)
      • recon_12 (load balance)
      • recon_13 (TXT)
      • recon_14 (zone transfer)
      • recon_15 (int zone transfer)
      • recon_16 (bind version)
      • recon_17 (dev name)
      • recon_18 (public repos)
      • recon_19 (find email)
      • recon_20 (check branches 1)
      • recon_21 (check branches 2)
      • recon_22 (deleted file)
      • recon_23 (commit message)
      • recon_24 (assets)
      • recon_25 (S3)
      • recon_26 (JS)
  • TryHackMe Rooms
    • Basic Pentesting
    • EasyPeasy
    • Kenobi
    • Vulnversity
Powered by GitBook
On this page

Was this helpful?

  1. Pentesterlab Labs
  2. Recon Badge

recon_26 (JS)

Previousrecon_25 (S3)NextBasic Pentesting

Last updated 7 months ago

Was this helpful?

View the exercise here:

OBJECTIVE

For this challenge, your goal is to look at the server used to load assets (JavaScript, CSS) and find a hardcoded key in one of the JavaScript files.

WHY?

It's essential to inspect JavaScript files for hardcoded keys.

SOLUTION

When we View Page Source of hackycorp.com, we’ll see the Javascript files in this format //assets.hackycorp.com/js/…

Click all three links with the prefix mentioned.

We’ll see the flag in the //assets.hackycorp.com/js/script.js

PentesterLab: Recon 26