How do I know if it's neccessary to change /etc/hosts for a machine?

So I’ve stumbled upon a strange occurance that I honestly had no idea existed until now. I was stuck on a medium machine for around a day or two, trying and researching virtually every exploit and vulnerability I could find for it, but in the process of looking at an unrelated writeup I noticed that they mentioned adding an entry to /etc/hosts. Now, I’m aware of what /etc/hosts does and all of that, and I looked at the other forum post here (Linux host files - Other - Hack The Box :: Forums) about it. Couldn’t seem to find much else in regards to it though since apparently it’s quite an undocumented thing? (Or maybe that’s just me. I just couldn’t really find much else on it.) The main thing I’m asking which differs from the aforementioned forum post though is how exactly I would know if adding the host entry is important to solving the CTF or not. (Since I recently discovered that, in regards to sub-domains, it’s required). And, more specifically, what exact domain I should map the IP address too, given how the person in the forum reply said it isn’t always “[boxname].htb” (assuming it matters much of course). Is it only really important when it’s explicitly mentioned somewhere on the machine (Website, etc.)? Or is there some other type of formula? I know this post is probably much longer than it needed to be, and maybe I’m just overthinking it for the most part. The concept was just very new to me when I found out about it.

1 Like

Since I struggled with missing hosts entries more than I’m willing to admit, I started making a habit out of it: At first, I only add [boxip] [boxname].htb to my hosts file and access the machine’s website with that hostname. When a TLS certificate (or other information on the website, like e.g. links) indicates other names (or subdomains), I add those to the existing entry in my hosts file. Because: When no “server” or “virtual host” is defined for the specific hostname, the same page will get returned as when I accessed the IP. But in cases where a dedicated virtual host for certain domain names is defined, I won’t get stuck on a default “It works” page, with nothing coming out of ffuf/gobuster.

1 Like

I am with @HomeSen 100% here. I’ve also tripped up by getting the hostname wrong and now, routinely add boxname.htb to the hosts. Only other bits I can think to add: - Its all down to enumeration. You don’t “know” what hostname to use or what subdomains might be in use. Your recon/enumeration needs to discover this. - You can fuzz subdomains by making use of the way HTTP requests work. You can try different host headers and see if you get different responses. - When you visit the available services, things like email addresses give hints as to hostnames. For example, if you see a reference to emails john@otherdomain.boxname.htb or even john@notboxname.htb, its worth adding them to the hosts file and trying to see if they give a different response.

1 Like

This is actually a very good question, and in no way limited to HTB/CTFs. You would not believe how many times while conducting a pentest I was able to find completely unrestricted path traversal vulns, by accessing the same IP, but connecting to a different vhost (with the vhost’s domain name corresponding to the same site using the same assets, but being in a different language etc) . In other situations, accessing the site using the IP address directly instead of its domain name might reveal similar lack of security, or - if hosted on a shared server - might just redirect you straight to the server specifc admin panel. The best way to think about the whole situation is to imagine the resolution operating in a manner similar to telephone switchboards, especially when it comes to needing to connect to one particular extension. The local /etc/hosts file is akin to your contact list in your phone, where all the names corresponding to phone numbers are specified by you, but nonetheless have no actual intrinsic meaning on their own. Imagine a situation of someone adding a number to their contact list and labelling it “Wife - Work”. Later, they use the contact name by itself (name resolution) instead of the phone number to call their wife at work, only to have the receptionist (whatever the IP itself connects you to) pick up the phone. The receptionist will not redirect them further until they provide an appropriate name or line extension (Host header), and obviously the locally set “Wife - Work” will mean absolutely nothing. When we fuzz vhosts, all we are essentially doing is calling that same receptionist again and again, first asking to speak to John, and if there is no John, then calling again and this time asking for Dave and so on. This approach only works when the name ( the vHost domain name ) is something that can already be found in a general wordlist, or can be discovered through other means. If the only employee that you can be connected to is named “Aas!!@31dfas KT43adsaf$#%” you will be calling that receptionist till the end of time. Now, how can we determine if there is this imaginary receptionist (Apache VirtualHost for example) on the other end, which will redirect us to an existing name/extension, when we only have an IP address to begin with? Ironically enough, because this IP address happens to be the point of entry to several different virtual hosts, its nmap scan will usually be lit up like a christmas tree with multiple open ports and running services, and its SSL cert being available for viewing. It will be the same exact thing that happens whenever anyone calls a random number that corresponds to an office building’s reception desk: The first person who answers is guaranteed to greet you with “Company XYZ and Sons, how may I help you today?” , providing you with the public name of the company behind that random unknown phone number. Web Hosting services, where a domain name can resolve to a single IP but can still direct you to different vHosts are exactly the same: If you reach their home-base address, they will usually jump at the opportunity to let you know who they are and the types of services they provide. ----------------------------------- Summary: 1. The /etc/hosts is only our personal local helper (the hosts file was originally used to store known domain-IP pairs for later use, in the days before DNS became the current standard) for resolving domain names to IP addresses. 2. However, these custom domain names that we specify in /etc/hosts are completely arbitrary - while HTB’s usual structure is [machine-name].htb, this is not something we would we would normally know beforehand during a test when starting with nothing but an IP address) 3. The /etc/hosts is not designed to work in reverse (but this can be exploited), and the IP address can be used directly for running nmap, enumeration, and/or accessing the server’s port 80 etc. 4. Since the single IP address points to one physical server that may host several vhosts, the hosting company will likely have some type of informational page/admin-panel waiting for us when we try to access it with the IP address directly. 5. Any server with multiple vHosts accessible with one IP address can be a goldmine when examined with nmap, and its additional scripts will typically give you a plethora of info. ----------------------------- **“Exploiting” /etc/hosts name resolution: in reverse** - Make the following IP(facebook) -domain(google) pair to your /etc/hosts 157.240.241.35 www.google.com google.com - Then, from terminal run curl 142.250.80.100 -Lv to curl one of Google’s IPs. **Result:** curl receives a 301 Moved status from Google, telling them to go to http://www.google.com instead. Thiis address now again gets checked against our entries in/etc/hosts ,where our added hosts line redirects it to one of Facebook’s servers instead. However, Facebook however does not seem to use HSTS and this request gets forwarded and responds with Status 400. You don’t even need to use curl, and going to www.google.com in an incognito window should work as well.

1 Like

I still have on confusion, why is there a need for setting up vhosts? I mean if we enter the IP behind google in browser it will open up Google for us and there was no DNS resolution involved similarly in case of HTB, if we have IP why cant we just use that IP to open the web interface why do we need to set up vhost?

For example, in my case I have some IP of Ignition box when I open it, instead of opening the site, it redirects me to ignition.htb which shows nothing, but if I add the same entry to etc/hosts file, then it works. This behavior is strange and beyond my understanding. If I am hitting ignition.htb without entering it to etc/hosts then it should return error as it cant resolve it to the IP, but if I am directly entering the IP then why is it redirecting to ignition.htb

P.s This Ignition box is in starting point

I had the same question to, and to an extent I think for the most part it doesn’t matter.

Though, using domains can have a few extra perks (like subdomains and basically anything SSL-related for instance), so in some boxes it can kind of become a big deal since it allows for the placement of more vulnerabilities as compared to just a standard IP address. Not to mention how it’s just easier to type [box].htb rather than the IP every time.

Also for your redirection question, I had the same thing occur to me a few times. I think it’s because the IP address is valid, but when you connect to it it requires the usage of a specific domain and thus redirects you toward that domain.

1 Like

vhosts are common in the real world-- it’s perfectly normal to deploy multiple sites on the same IP address, and vhosts are the only way to accomplish that.