01step · watch first

Map the attack surface before you swing.

A short primer on web recon — the cheap, polite, high-signal moves you run BEFORE any exploit. Watch all the way through, then move to the animated simulation to see the same five beats with the traffic flowing.

▶ Lesson · Web recon fundamentals ~6 min

≡ Summary what to remember

1The first question is: what is here? Before any payload, ask the server politely — headers, banners, robots.txt, sitemaps. Recon trims the search space.
2Common paths are common for a reason. /admin, /api, /backup.zip, /.git — dirbusting catches what defaults left behind.
3Most leaks are accidents inside backups. HTML comments, source files, dotenvs in zips — every artifact a developer forgot to remove becomes intelligence for the attacker.
4One IP, many hostnames. dev.target ships things prod won't. A spoofed Host header switches the response on the same server.
5The flag was waiting in plaintext. Debug-mode Flask served .env as a static asset. No exploit needed — just the right Host header and a polite GET.

intermediate 300 xp ~45 min track · ML

? Quick check · before you continue 1 question · pick one

QYou have only a single hostname as scope. What's the highest-signal first move?