Recon 11

This challenge
For this challenge, your goal is to brute a virtual host.

Virtual host brute forcing
In this challenge, you need to brute force a virtual host by only manipulating the Host header. There is no DNS resolution setup for this host. Therefore you will need to target hackycorp.com and bruteforce the virtual host (that ends in .hackycorp.com).

枚举vhost,使用的字典:https://github.com/allyshka/vhostbrute

gobuster vhost -u http://hackycorp.com -w /media/sf_share/vhostbrute-master/vhostbrute-master/vhosts_all.list

Recon 12

This challenge
For this challenge, your goal is to access a load-balanced application hosted at the address balancer.hackycorp.com.

Load balancing
Serving requests for a single application can be done by multiple backends. It can pay off to send the same request multiple times to check if multiple backends are involved.

多访问几次就出现了

curl balancer.hackycorp.com
<h1>Well done! You solved recon_12 </h1>

The key for this exercise is 29e5c97c-7230-46ae-937c-6c56ff33b84f

Recon 13

This challenge
For this challenge, your goal is to retrieve the TXT record for key.z.hackycorp.com.

TXT Record
TXT records are often used to show that people own a domain or to store information to configure services, it's always a good idea to check for those.

获取key.z.hackycorp.com的txt记录

nslookup -q=txt key.z.hackycorp.com

Recon 14

This challenge
For this challenge, your goal is to perform a zone transfer on z.hackycorp.com.

Zone transfer
Zone transfers are usually used to synchronise multiple DNS servers. Only a list of pre-defined hosts should be able to perform this operation. However, it's sometimes possible to retrieve this information and can give you access to new hosts.

DNS传送区漏洞

dig @z.hackycorp.com z.hackycorp.com axfr

Recon 15

This challenge
For this challenge, your goal is to perform a zone transfer on the internal zone named: "int" using the nameserver of z.hackycorp.com.
Zone transfer
Zone transfers are usually used to synchronise multiple DNS servers. Only a list of pre-defined hosts should be able to perform this operation. However, it's sometimes possible to retrieve information from internal zones by asking publicly available servers.

查询int区域

dig @z.hackycorp.com int axfr

Recon 16

This challenge
For this challenge, your goal is to get the version of bind used by z.hackycorp.com.

Bind
Bind is one of the most common DNS server used. If you know how to ask, it will reveal you its version.

get dns server version

dig @z.hackycorp.com version.bind chaos txt

Recon 17

This challenge
For this challenge, your goal is to look at the name of the developer who committed code for the organisation in the repository test1 on Github (you will need to find the Github account for Hackycorp first).

找到 Hackycorp 的 Github 帐户

https://github.com/search?q=Hackycorp&type=users

Recon 18

This challenge
For this challenge, your goal is to look at the public repository of the developers of the organisation.

查看hackycorp开发人员的公共存储库

https://github.com/hackycorpdev/

Recon 19

This challenge
For this challenge, your goal is to look at the repository repo7 and find an email address that is not like the other one.

Why?
Developers often commit with the wrong email address and that may leak some information about personal accounts or internal systems.

查看repo7log

git clone https://github.com/hackycorp/repo7.git
git log

Recon 20

This challenge
For this challenge, your goal is to look at the repository repo3 and check different branches.

Why?
It's important to look at all branches as they may be used to store sensitive information.

查看分支

https://github.com/hackycorp/repo3/branches