Badge Solutions

A solutions guide for obtaining this badge.

PentesterLab Recon Badge Solution

1. Recon 00 - The goal is to retrieve the robots.txt from the main website for hackycorp.com

• Open hackycorp.com/robots.txt

2. Recon 01 - To generate a 404/"Not Found" error on the main website for hackycorp.com

• Open hackycorp.com/kjhfdbsgkdjhf (you can type almost anything here)

3. Recon 02 - To retrieve the security.txt from the main website for hackycorp.com

• Open hackycorp.com/.well-known/security.txt

• https://securitytxt.org/

4. Recon 03-05 - to find a directory that is not directly accessible.

• dirb https://hackycorp.com

• From recon 03-05 will be solved using this command.

5. Recon 06 - to access the default virtual host ("vhost").

• curl http://hackycorp.com/ -H "Host: 51.158.147.132"

6. Recon 07 - To access the default virtual host ("vhost") over TLS.

• curl https://hackycorp.com/ -H "Host: 51.158.147.132"

7. Recon 08 - To access the alternative names in the certificate.

• Open https://hackycorp.com

• Open the certificate

• Goto View Certificate > hackycorp.com > Subject Alt Names

• You'll see three DNS names

• Enter or curl https://66177e3f25e3ea0713807b1dc5f0b9df.hackycorp.com

8. Recon 09 - To access the headers from responses.

• curl -I http://hackycorp.com/

9. Recon 10 - To use visual reconnaissance. You will need to find the website with the key in red

• Create a script to iterate the domains for you, as mentioned in the challenge.

# python3

import urllib.request

# 0x00 to 0xc7 (this is 0 to 199)

for i in range(200):
    if i <= 0xf:
        url = "http://0x0{:x}.a.hackycorp.com/logo.png".format(i)
        response = urllib.request.urlopen(url)
        data = response.read()
        response.close()

        with open("logo.png{}".format(i), "wb") as f:
            f.write(data)

    else:
        url = "http://0x{:x}.a.hackycorp.com/logo.png".format(i)
        response = urllib.request.urlopen(url)
        data = response.read()
        response.close()

        with open("logo.png{}".format(i), "wb") as f:
            f.write(data)

• Find the image which has the key in red color. I just viewed the previews in my explorer once my script finished. Be sure to have a lot of files in a directory if you use my method.

10. Recon 11 - To brute a virtual host

• You have to bruteforce the vhosts. ffuf -u https://hackycorp.com/ -w /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt -H "host: FUZZ.hackycorp.com" -fs 107

• curl -i -H "Host: admin.hackycorp.com" https://hackycorp.com

11. Recon 12 - To access a load-balanced application hosted at the address balancer.hackycorp.com

• Go to http://balancer.hackycorp.com and refresh the page several times.

12. Recon 13 - To retrieve the TXT record for key.z.hackycorp.com.

• dig key.z.hackycorp.com TXT

13. Recon 14 - To perform a zone transfer on z.hackycorp.com

• dig axfr z.hackycorp.com @z.hackycorp.com

• For more information: https://hackertarget.com/zone-transfer/ and https://digi.ninja/projects/zonetransferme.php

14. Recon 15 - To perform a zone transfer on the internal zone: "int" using the nameserver of z.hackycorp.com

• dig int @z.hackycorp.com axfr

15. Recon 16 - To get the version of bind used by z.hackycorp.com

• dig -t txt -c chaos VERSION.BIND @z.hackycorp.com

• For more information: https://community.tenable.com/s/article/How-to-check-the-version-of-a-BIND-DNS-server

16. Recon 17 - Look at the name of the developer used in the repository test1

• https://github.com/hackycorp/test1

17. Recon 18 - Look at the public repository of the developers of the organisation

• https://github.com/hackycorpdev/test1/blob/master/TEST

18. Recon 19 - Look at the email addresses used for commits in the repository repo7

• git clone https://github.com/hackycorp/repo7.git

• cd repo7

• git log

19. Recon 20 - Look at the branches in repo3

• Open https://github.com/hackycorp/repo3

• Click on branches

20. Recon 21 - Look at the information in the branches for repo4

• Open https://github.com/hackycorp/repo3/branches

• Choose a branch from "Active branches"

• Click on KEY file

21. Recon 22 - Look in repo9 for deleted files

• git clone https://github.com/hackycorp/repo9.git

• cd repo9

• git log --diff-filter=D --summary | grep delete

• git log --all -- File_name

• Copy the commit ID

• Go to https://github.com/hackycorp/repo9/commit/copied_commit_id

• Click on Load diff

22. Recon 23 - Look for sensitive information in commit messages

• git clone https://github.com/hackycorp/repo0a.git

• cd repo0a

• git log | grep -

23. Recon 24 - Look for a file named key.txt in the place used to serve the assets for the main website.

• Open hackycorp.com

• Open DevTools > Network

• Look at the domain name assets.hackycorp.com

• assets.hackycorp.com/key.txt

24. Recon 25 - Look for a file named key2.txt in the place used to serve the assets for the main website.

• Open http://assets.hackycorp.com/key2.txt

• Install aws cli and configure it with your own aws account

• Use below commad: aws s3 cp s3://assets.hackycorp.com/key2.txt .

25. Recon 26 - Look for a key in the JavaScript used by the main website.

• Open assets.hackycorp.com

• Open DevTools > Network

• Filter JS traffic

• Goto http://assets.hackycorp.com/js/script.js

• Search for recon