Recon 00
Our task here is to retrive the robots.txt file from the main website for hackycorp.com.
Navigate to the webpage
We can try to view the robots.txt file by adding /robots.txt to the url
cool, we’ve successfully completed this task
Recon 01
Our task is to generate a 404/”Not Found” error on the main website for hackycorp.com.
Navigate to the webpage
To trigger a 404 error we’ll try to access a directory that doesn’t exist on the webserver. Lets try to access the directory /bankai
We have successfully completed this exercise
Recon 02
Our task is to retrieve the security.txt file from the main website for hackycorp.com
Navigate to the webpage
To view the security.txt file, just navigate to /.well-known/security.txt
We have successfully completed this exercise.
Recon 03
Our task is to find a directory with directory listing in the main website for hackycorp.com.
Navigate to the webpage
Lets fuzz for directories using ffuf
command:ffuf -u "http://hackycorp.com/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/pentesterlab]
└─$ ffuf -u "http://hackycorp.com/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://hackycorp.com/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .zip .sql .php .phtml .bak .backup
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
admin [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 141ms]
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 200ms]
index.html [Status: 200, Size: 16011, Words: 5888, Lines: 278, Duration: 317ms]
robots.txt [Status: 200, Size: 121, Words: 14, Lines: 7, Duration: 142ms]
startpage [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 136ms]
:: Progress: [32305/32305] :: Job [1/1] :: 256 req/sec :: Duration: [0:02:45] :: Errors: 0 ::
nice nice,
Navigate to the /images directory
We have 2 files in this directory, lets try to access the key.txt file
We have successfully completed this task
Recon 04
Our task is to find a directory that is commonly used to manage applications.
Navigate to the webpage
Now, lets fuzz for directories using ffuf
command:ffuf -u "http://hackycorp.com/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/pentesterlab]
└─$ ffuf -u "http://hackycorp.com/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://hackycorp.com/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .zip .sql .php .phtml .bak .backup
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
admin [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 141ms]
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 200ms]
index.html [Status: 200, Size: 16011, Words: 5888, Lines: 278, Duration: 317ms]
robots.txt [Status: 200, Size: 121, Words: 14, Lines: 7, Duration: 142ms]
startpage [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 136ms]
:: Progress: [32305/32305] :: Job [1/1] :: 256 req/sec :: Duration: [0:02:45] :: Errors: 0 ::
Lets start with the /admin directory.
Navigating to that directory
We have successfully solved this task
Recon 05
Our task is to look for a directory that is not directly accessible.
Lets fuzz for directories using ffuf
command:ffuf -u "http://hackycorp.com/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/pentesterlab]
└─$ ffuf -u "http://hackycorp.com/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://hackycorp.com/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .zip .sql .php .phtml .bak .backup
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
admin [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 141ms]
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 200ms]
index.html [Status: 200, Size: 16011, Words: 5888, Lines: 278, Duration: 317ms]
robots.txt [Status: 200, Size: 121, Words: 14, Lines: 7, Duration: 142ms]
startpage [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 136ms]
:: Progress: [32305/32305] :: Job [1/1] :: 256 req/sec :: Duration: [0:02:45] :: Errors: 0 ::
Navigate to the /startpage directory
We have successfully completed the task
Recon 06
Our task is to access the default virtual host (“vhost”)
Navigate to the webpage
Refresh this webpage, capture the request on burpsuite and send it over to burp repeater
So, to view the default vhost, we have to get the ip address of the domain. To do that run ping hackycorp.com -c 5 on your terminal
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/pentesterlab]
└─$ ping hackycorp.com -c 5
PING hackycorp.com (51.158.147.132) 56(84) bytes of data.
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=1 ttl=48 time=205 ms
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=2 ttl=48 time=286 ms
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=3 ttl=48 time=143 ms
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=4 ttl=48 time=277 ms
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=5 ttl=48 time=153 ms
--- hackycorp.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4004ms
rtt min/avg/max/mdev = 142.555/212.707/286.497/60.195 ms
We got the ip address to be 51.158.147.132.
Lets head back to burpsuite. We’ll be changing the value for the Host parameter from hackycorp.com to 51.158.147.132
We have successfully completed this task.
Recon 07
Our task is to access the default virtual host (“vhost”) over TLS
This challenge has to do with TLS. Https service uses TLS.
So to solve this challenge we just need to add https:// to the back of the ip address. We know the ip address of the domain to be 51.158.147.132 when we run the ping commnad
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/pentesterlab]
└─$ ping hackycorp.com -c 3
PING hackycorp.com (51.158.147.132) 56(84) bytes of data.
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=1 ttl=48 time=233 ms
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=2 ttl=48 time=256 ms
64 bytes from 51-158-147-132.rev.poneytelecom.eu (51.158.147.132): icmp_seq=3 ttl=48 time=279 ms
--- hackycorp.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 233.149/256.028/279.038/18.734 ms
Now, navigate to the webpage https://51.158.147.132
We have completed the task
Recon 08
Our task is to access the alternative names in the certificate.
To solve this, we can use the openssl command
command:openssl s_client -connect hackycorp.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/pentesterlab]
└─$ openssl s_client -connect hackycorp.com:443 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:
DNS:66177e3f25e3ea0713807b1dc5f0b9df.hackycorp.com, DNS:hackycorp.com, DNS:www.hackycorp.com
We got a dns 66177e3f25e3ea0713807b1dc5f0b9df.hackycorp.com
Now, lets navigate to https://66177e3f25e3ea0713807b1dc5f0b9df.hackycorp.com
We have successfully completed this task.
Recon 09
Our task is to access the headers from the responses
Navigate to the webpage
We can use curl to view HTTP headers
command:curl -I http://hackycorp.com/
We have successfully completed the task.
Recon 10
The task is to find the website with the key in red
Recon 11
Our task is to brute a virtual host.
To do this, we’ll be using ffuf
command:ffuf -u https://hackycorp.com/ -H "Host: FUZZ.hackycorp.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 5 -fs 107
┌──(bl4ck4non㉿bl4ck4non)-[~/Downloads/pentesterlab]
└─$ ffuf -u https://hackycorp.com/ -H "Host: FUZZ.hackycorp.com" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -fw 5 -fs 107
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : https://hackycorp.com/
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.hackycorp.com
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 107
:: Filter : Response words: 5
________________________________________________
admin [Status: 200, Size: 108, Words: 12, Lines: 4, Duration: 146ms]
www [Status: 200, Size: 16011, Words: 5888, Lines: 278, Duration: 130ms]
:: Progress: [4989/4989] :: Job [1/1] :: 147 req/sec :: Duration: [0:00:27] :: Errors: 0 ::
From our scan we got 2 outputs admin and www.
So there’s a subdomain admin.hackycorp.com
Lets navigate to the webpage https://hackycorp.com again, but this time we’ll capture the request on burpsuite and send it over to burp repeater
Lets change the Host from www.hackycorp.com to admin.hackycorp.com
We have successfully completed this task
Recon 12
our task is to access a load-balanced application hosted at the address balancer.hackycorp.com.
Lets navigate to the webpage https://balancer.hackycorp.com
Refreshing the page multiple times helps us solve this challenge
We have successfully completed this lab
Recon 13
Our task is to retrieve the TXT record for key.z.hackycorp.com
We’ll be using a tool called dig for this
command:dig TXT key.z.hackycorp.com
We have successfully completed this exercise
Recon 14
Our task is to perform a zone transfer on z.hackycorp.com
We can use dig to perform a zone transfer
command:dig axfr @51.158.147.132 z.hackycorp.com
We have successfully completed this task.
Recon 15
Our task is to perform a zone transfer on the internal zone named: “int” using the nameserver of z.hackycorp.com
Using the tool dig
command:dig @51.158.147.132 -t axfr int
We have successfully completed this task
Recon 16
Our task is to get the version of bind used by z.hackycorp.com
To do this we can use dig
Recon 17
Our task is to look for the name of the developer used in the repository test1
First, lets locate the github repo
We got their github repo,
Now, kets look for the name of the developer used in the repository test1
We have successfully completed this task
Recon 18
Our task is to is to look at the public repository of the developers of the organisation.
The github repo is located here https://github.com/hackycorp
We have successfully completed this task
Recon 19
Our task is to look at the repository repo7 and find an email address that is not like the other one.
Recon 20
Our task is to look at the repository repo3 and check different branches
Navigate to the github page
We have successfully completed this task
Recon 21
Our task is to look at the repository repo4 and check different branches.
Navigate to the github repo
We have completed this task
Recon 22
Our task is to find a file that has been deleted in repo9.
Navigate to the github page
checking the commits
Clicking on “Older”
Click on that commit
We can see from the above screenshot that the file KEY.txt was deleted. Click on “Load diff”, you should get the deleted file when you do that
We have successfully completed this task
Recon 23
Our task is to look for at the repository repo0a and find sensitive information in the commit message.
Navigate to the github page
We’ll be checking the commits with more comments
clicking on that commit
This is not hit, go back to the previous webpage and scroll down
Click on “Older”
Click on that commit
We have successfully completed this task
Recon 24
Our task is to look at the server used to load assets (JavaScript, CSS) and find a file named key.txt.
Navigate to the webpage
Lets view the source page
From the above screenshot, you can see the domain assets.hackycorp.com constantly used. Lets navigate to that domain name using our browser
We get the access denied message. Lets try to see if we can access the key.txt file
We have successfully completed this task
Recon 25
Our task is to look at the server used to load assets (JavaScript, CSS) and find a file named key2.txt.
Recon 26
Our task is to look at the server used to load assets (JavaScript, CSS) and find a hardcoded key in one of the JavaScript files.
Navigate to the webpage
Doing my research I found this
Lets navigate to the webpage http://assets.hackycorp.com/js/script.js
Scrolling down,
We have successfully completed this lab
We have come to the end of the recon challenge😎
Back To Home