Marial's Notes
  • Hello!
  • Pentesterlab Labs
    • Recon Badge
      • recon_00 (/robots.txt)
      • recon_01 (404 pages)
      • recon_02 (/.well-known/security.txt)
      • recon_03 (directory listing)
      • recon_04 (/admin)
      • recon_05 (wfuzz)
      • recon_06 (vhost)
      • recon_07 (vhost over TLS)
      • recon_08 (alt name)
      • recon_09 (header)
      • recon_10 (visual recon)
      • recon_11 (virtual host brute)
      • recon_12 (load balance)
      • recon_13 (TXT)
      • recon_14 (zone transfer)
      • recon_15 (int zone transfer)
      • recon_16 (bind version)
      • recon_17 (dev name)
      • recon_18 (public repos)
      • recon_19 (find email)
      • recon_20 (check branches 1)
      • recon_21 (check branches 2)
      • recon_22 (deleted file)
      • recon_23 (commit message)
      • recon_24 (assets)
      • recon_25 (S3)
      • recon_26 (JS)
  • TryHackMe Rooms
    • Basic Pentesting
    • EasyPeasy
    • Kenobi
    • Vulnversity
Powered by GitBook
On this page
  • OBJECTIVE
  • ALTERNATIVE NAMES
  • SOLUTION

Was this helpful?

  1. Pentesterlab Labs
  2. Recon Badge

recon_08 (alt name)

Previousrecon_07 (vhost over TLS)Nextrecon_09 (header)

Last updated 5 months ago

Was this helpful?

View the exercise here: PentesterLab: Recon 08

OBJECTIVE

For this challenge, your goal is to access the alternative names in the certificate.

ALTERNATIVE NAMES

When accessing a TLS server, it often pays off to check the content of the certificate used. It's common for TLS servers to have certificates that are valid for more than one name (named alternative names). Looking for alternative names can be done in your client or by using openssl.

SOLUTION

In the browser, click the browser settings at the left side of the URL.

Click Connection is secure then click Certificate is valid.

Select the Details tab

Scroll the Certificate Fields list then select Certificate Subject Alternative Name

Copy the DNS Name field value

Open it in your browser to get the flag

An alternative solution using curl:

If we use http, we’ll obtain the flag for recon 06 ❌

We’ll get the recon 08 flag when https is used