recon_11 (virtual host brute)
Last updated
Was this helpful?
Last updated
Was this helpful?
View the exercise here:
For this challenge, your goal is to brute a virtual host.
In this challenge, you need to brute force a virtual host by only manipulating the Host header. There is no DNS resolution setup for this host. Therefore you will need to target hackycorp.com and bruteforce the virtual host (that ends in .hackycorp.com).
Without fuzzing yet, when we try to enter a random subdomain, we get the recon_07 flag, which is not the goal for recon_11.
So we will be using ffuf (Fuzz Faster U Fool), a fast and flexible web fuzzer designed for discovering hidden files, directories, and parameters on web servers. It automates brute-forcing tasks using wordlists, helping penetration testers and security researchers quickly identify potential security issues in web applications.
This is used to find valid virtual hosts or subdomains by fuzzing the Host
header with values from a wordlist and filtering out responses that match a specific size.
We get admin
& www
.
We’ll curl the ones we fuzzed to get the recon_11 flag.