04step · module overview

You finished Lab 08. Here's what stuck.

A short recap of the moves you used to map an attack surface — keep them close. Recon is 80% of every successful breach. The next lab pivots to the other side: you're the defender now.

Module complete · web-recon-hidden-assets

You walked the surface, broke into the backups, found the dev vhost, and pulled the flag out of a leaked dotenv. Recon is not a phase — it's a habit. Every engagement starts here.

XP earned+300xp

DifficultyMedium

Time spent~45min

TrackML

≡ Recap · the five moves keep close

01 Probe · what is here? Every recon starts with the cheapest question. curl -I http://target/ gives you Server, X-Powered-By, robots.txt — enough to plan the next move.
02 Fuzz · common paths are common for a reason. ffuf -w common.txt -u http://target/FUZZ sprays the well-known endpoints — /backup.zip, /admin/, /.git/. Operators leave these in production more often than you'd think.
03 Leak · most leaks are accidents inside backups. Unzip the backup, grep for credentials. HTML comments, .bak files, old branches in .git/ — the source is usually the betrayal.
04 Vhost · one IP, many hostnames. curl -H 'Host: dev.target' http://target/ pivots into the dev environment that ships with debug flags and looser auth. A backup mentioned the hostname; you used it.
05 Own · the flag was waiting in plaintext, behind a header. The dev vhost served /.env with the flag because Flask's debug mode wasn't disabled. Defence: never let recon traffic reach a debug-mode app.

Next module

Lab 09 · SOC Log Triage & Intrusion Timeline

Switch sides. Four log sources, one intrusion. Reconstruct an end-to-end attack — brute force, successful login, sensitive data read, and outbound exfil — from log lines alone.

start · lab 09 →