recon_10 (visual recon)

View the exercise here: PentesterLab: Recon 10

OBJECTIVE

For this challenge, your goal is to use visual reconnaissance. You will need to find the website with the key in red.

VISUAL RECONNAISSANCE

For this challenge, the web applications are hosted under: 0x["%02x"].a.hackycorp.com as in:

0x00.a.hackycorp.com
0x01.a.hackycorp.com
...
0x0a.a.hackycorp.com
0x0b.a.hackycorp.com
...

If you haven't done visual reconnaissance before, you can try to use the tool Aquatone to get images that you can browse easily to find the right key (in red).

SOLUTION

Let’s first try to check manually the first 4 links of the sequence.

We notice that the output color of the keys is blue and black.

The keys in the website are images, so we can solve this challenge by saving the output image of each site and then checking them visually after visiting all sites to find the text in red.

It would be very tedious to manually do this, so we’ll use a script to automate the saving of the output.

Click the tabs to see the thought process on how we arrived at the final code used to automate the printing process of the key on each page for easy viewing later.

For each line, the script uses curl to download a file named logo.png from the specified URL and saves it with the filename <line>.png. This script helps automate the process of downloading and saving files from multiple URLs listed in a text file.

for i in `cat hosts.txt`;
do curl $i/logo.png -o $i.png
done

Wait until all is done.

We’ll first try to generate a sequence of numbers. Let’s try generating 1 to 10.

seq 1 10

We'll use a for loop to count from 0 to 150. The script prints each number, showing how you can easily loop through a range of numbers in a shell script.

for i in `seq 0 150`; do
echo $i
done

This for loop to count from 0 to 150 and print each number in its hexadecimal (base 16) format. The script converts each number to hexadecimal and displays it on a new line.

for i in `seq 0 150`; do
printf " %x\n" $i 
done

%x — treats the input as hex

Each hostname will be formatted with a hexadecimal number and appended to a file named hosts.txt. This script creates a list where each line follows the format 0x<hexadecimal number>.a.hackycorp.com.

for i in `seq 0 150`;  do 
printf "0x%02x.a.hackycorp.com\n" $i >> hosts.txt

%02
- 2 — means 2 digits
- 0 — as padding (e.g. 01)
>> — if just single >, the last line of the sequence will only be printed

When we print the final output, we get the desired format of the URL.

vi hosts.txt

Once everything is saved, open all photos at once.

Visually scan the photos to check for the key in red text.

You can also open the image name back in the browser to view the key.

Previousrecon_09 (header)Nextrecon_11 (virtual host brute)

Last updated 27 days ago