Marial's Notes
  • Hello!
  • Pentesterlab Labs
    • Recon Badge
      • recon_00 (/robots.txt)
      • recon_01 (404 pages)
      • recon_02 (/.well-known/security.txt)
      • recon_03 (directory listing)
      • recon_04 (/admin)
      • recon_05 (wfuzz)
      • recon_06 (vhost)
      • recon_07 (vhost over TLS)
      • recon_08 (alt name)
      • recon_09 (header)
      • recon_10 (visual recon)
      • recon_11 (virtual host brute)
      • recon_12 (load balance)
      • recon_13 (TXT)
      • recon_14 (zone transfer)
      • recon_15 (int zone transfer)
      • recon_16 (bind version)
      • recon_17 (dev name)
      • recon_18 (public repos)
      • recon_19 (find email)
      • recon_20 (check branches 1)
      • recon_21 (check branches 2)
      • recon_22 (deleted file)
      • recon_23 (commit message)
      • recon_24 (assets)
      • recon_25 (S3)
      • recon_26 (JS)
  • TryHackMe Rooms
    • Basic Pentesting
    • EasyPeasy
    • Kenobi
    • Vulnversity
Powered by GitBook
On this page
  • OBJECTIVE
  • VIRTUAL HOST BRUTE FORCING
  • SOLUTION

Was this helpful?

  1. Pentesterlab Labs
  2. Recon Badge

recon_11 (virtual host brute)

Previousrecon_10 (visual recon)Nextrecon_12 (load balance)

Last updated 7 months ago

Was this helpful?

View the exercise here:

OBJECTIVE

For this challenge, your goal is to brute a virtual host.

VIRTUAL HOST BRUTE FORCING

In this challenge, you need to brute force a virtual host by only manipulating the Host header. There is no DNS resolution setup for this host. Therefore you will need to target hackycorp.com and bruteforce the virtual host (that ends in .hackycorp.com).

SOLUTION

Without fuzzing yet, when we try to enter a random subdomain, we get the recon_07 flag, which is not the goal for recon_11.

curl https://hackycorp.com -H 'Host:random123.hackycorp.com'

So we will be using ffuf (Fuzz Faster U Fool), a fast and flexible web fuzzer designed for discovering hidden files, directories, and parameters on web servers. It automates brute-forcing tasks using wordlists, helping penetration testers and security researchers quickly identify potential security issues in web applications.

This is used to find valid virtual hosts or subdomains by fuzzing the Host header with values from a wordlist and filtering out responses that match a specific size.

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242

  • -w /path/to/vhost/wordlist: Specifies the wordlist file that contains potential subdomain or vhost names to try. Each line in this file is used in place of FUZZ.

  • -u https://target: The base URL of the target web server where the fuzzing will take place.

  • -H "Host: FUZZ": This sets the Host header in the HTTP request to the value of each entry in the wordlist. FUZZ is a placeholder that gets replaced by each word from the wordlist.

  • -fs 4242: Filters out responses that have a content size of 4242 bytes. This is used to ignore "false positives" by not showing responses that match this size.

To filter recon_07 in the response:

ffuf -w /usr/share/wfuzz/wordlist/general/common.txt -u https://hackycorp.com -H "Host: FUZZ.hackycorp.com" -fr recon_07

  • -fr recon_07: Filters out responses that contain the string recon_07. This helps in ignoring responses that are not relevant to your fuzzing target.

We get admin & www.

We’ll curl the ones we fuzzed to get the recon_11 flag.

curl https://hackycorp.com -H 'Host: admin.hackycorp.com'

PentesterLab: Recon 11
LogoGitHub - ffuf/ffuf: Fast web fuzzer written in GoGitHub