https://pentesterlab.com/

Recon 00

This challenge
For this challenge, your goal is to retrieve the robots.txt from the main website for hackycorp.com.

The robots.txt file
The robots.txt file is used to tell web spiders how to crawl a website. To avoid having confidential information indexed and searchable, webmasters often use this file to tell spiders to avoid specific pages. This is done using the keyword Disallow. You can find more about the robots.txt file by reading Robots exclusion standard

访问robots.txt

curl http://hackycorp.com/robots.txt   

Recon 01

This challenge
For this challenge, your goal is to generate a 404/"Not Found" error on the main website for hackycorp.com.

The 404 pages
Not Found/404 pages can leak information about the web stack used by a company or application. It also allows you to detect files that exists when you start bruteforcing directory. This is why it is important to check what the 404 page looks like.

访问一个404页面

curl http://hackycorp.com/robots.txt1

Recon 02

This challenge
For this challenge, your goal is to retrieve the security.txt from the main website for hackycorp.com.

The security.txt file
The security.txt file is used to tell security researchers how they can disclose vulnerabilities for a website. You can learn more about it here: securitytxt.org and on Wikipedia: Security.txt.

访问通用文件security.txt

curl https://hackycorp.com/.well-known/security.txt

Recon 03

This challenge
For this challenge, your goal is to find a directory with directory listing in the main website for hackycorp.com.

Directory Listing
When accessing a directory on a webserver, multiple things can happen:

an "index" file is present and it will get returned. N.B.: the file is not necessarily named index, this can be configured. But most of the time, the file will be named index.html
no "index" file is present and the webserver will list the content of the directory. This can obviously leak information.
Indexing directory can be disabled on most webservers. For example, with Apache, you need to use the option: -Indexes.

To find directories, with indexing turned on. You need to browse the source of the HTML pages and look at the directories used to store files. Once you have a list of directories, you can access each of them individually.

根据首页里面的内链找到一个列出索引的目录,也可以使用字典扫描

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  dir -u https://hackycorp.com/

Recon 04

This challenge
For this challenge, your goal is to find a directory that is commonly used to manage applications.

Interesting directories
When accessing a new webserver, it often pays off to manually check for some directories before starting to brute force using a tool. For example, you can manually check for /admin/.

访问后台管理目录

curl https://hackycorp.com/.well-known/admin          

Recon 05

This challenge
For this challenge, your goal is to find a directory that is not directly accessible.

Fuzzing directories
When accessing a new webserver, it often pays off to brute force directories. To do this, you can use many tools like patator, FFUF or WFuzz (amongst many others).

找到一个不能直接访问的目录推荐使用暴力破解

gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  dir -u https://hackycorp.com/  

Recon 06

This challenge
For this challenge, your goal is to access the default virtual host ("vhost").

Fuzzing directories
When accessing a new webserver, it often pays off to replace the hostname with the IP address or to provide a random Host header in the request. To do this, you can either modify the request in a web proxy or use curl -H "Host: ....".

访问默认主机,在ssL证书中找到主机名称

curl http://66177e3f25e3ea0713807b1dc5f0b9df.hackycorp.com/

Recon 07

This challenge
For this challenge, your goal is to access the default virtual host ("vhost") over TLS.

Default Vhost over TLS
When accessing a new webserver, it often pays off to replace the hostname with the IP address or to provide a random Host header in the request. To do this, you can either modify the request in a web proxy or use curl -H "Host: ....". This time you need to check the TLS version of the website to get the key

使用主机IP地址访问

ping hackycorp.com
curl https://51.158.147.132/

Recon 08

This challenge
For this challenge, your goal is to access the alternative names in the certificate.

Alternative names
When accessing a TLS server, it often pays off to check the content of the certificate used. It's common for TLS servers to have certificates that are valid for more than one name (named alternative names). Looking for alternative names can be done in your client or by using openssl.

访问ssl别名主机

curl https://66177e3f25e3ea0713807b1dc5f0b9df.hackycorp.com/

Recon 09

This challenge
For this challenge, your goal is to access the headers from responses.

Header inspection
When accessing a web server, it often pays off to check the responses' headers. It's common to find information around version and technologies used.

查看响应头 Pentester Free Lab[00-10] Writeup

Recon 10

This challenge
For this challenge, your goal is to use visual reconnaissance. You will need to find the website with the key in red

Visual Reconnaissance
For this challenge, the web applications are hosted under: 0x["%02x"].a.hackycorp.com as in:

0x00.a.hackycorp.com
0x01.a.hackycorp.com
...
0x0a.a.hackycorp.com
0x0b.a.hackycorp.com
...
If you haven't done visual reconnaissance before, you can try to use the tool Aquatone to get images that you can browse easily to find the right key.

使用python生成所有的子域名

urls = []
for i in range(100):
    if i < 10:
        urls.append('http://0x0'+str(i)+'.a.hackycorp.com')
    else:
        urls.append('http://0x' + str(i) + '.a.hackycorp.com')
for k in range(97, 123):
    urls.append('http://0x0' + chr(k) + '.a.hackycorp.com')
for url in urls:
    print(url)

使用aquatone工具获取所有页面的截图,然后找到红色的key

cat tager.txt | ./aquatone -ports 80