was working on the easy doctor box, and got stuck on the page. Normally I add a host in my file beforehand. After being stuck for 3 hours I looked at some writeups to give me a hint and all of them showed login pages in there web dir scanning that I never saw. so my question is: does it matter what the hostname is to access certain parts of a site? and if so why? if you want to point me to an article or book that would also suffice. Thank you for taking the time to help me
Certain things Because there isn’t DNS setup for the lab. So to access something by hostname, you need to define it somewhere for your system. Hostnames can be used when hosting multiple sites on the same IP for example. The hostname tells the server where to send the traffic. It’s not uncommon to need to configure /etc/hosts
for boxes.
I see, but I added the host as doctor.htb and I couldnt find the login page, but when I changed it to doctors.htb I did, so why does my host name have to match theirs?
Thanks again
“Virtual Hosting”, where a single server responds with different content at different hostnames, isn’t uncommon and something you might see in the real world. You’ll come across some machines on HTB where you need to enumerate hostnames (or at least just guess, based on contextual clues)
Here’s some examples from Apache: VirtualHost Examples - Apache HTTP Server Version 2.4
In fact, this very thread reminded me that I hadn’t done any subdomain enumeration on the box I was stuck on, and-- I found a couple of potentially useful things!
HTTP Servers can “route” requests based on Port, Headers and the requested URI.
When you request http://doctor.htb, the Server reads all your request headers:
GET / HTTP/1.1
Host: doctor.htb
[…]
Depending on how the HTTP Server is configured, it can parse the Host:
header and in turn serve different content. In Apache, you can achieve that with VirtualHost blocks:
<VirtualHost *:80>
DocumentRoot /var/www/htdocs
[...]
</VirtualHost>
<VirtualHost doctors.htb:80>
DocumentRoot /var/www/doctors
[...]
</VirtualHost>
In that case, all requests that do not send a Host: doctors.htb
header are answered with resources from /var/www/htdocs
. If the header is present, the DocumentRoot is set to /var/www/doctors
and you are served a site under that path.
Likewise, you can configure the server to serve different things under different Ports, that’s why HTTP and HTTPS can be different sites
<VirtualHost *:443>
And routing based on the URI path is common, too:
<VirtualHost *:80>
DocumentRoot /var/www/htdocs
<Location "/api/" >
DocumentRoot /var/www/app
</Location>
</VirtualHost>
That’s of course just scratching the surface, you can also route requests based on any other data such as Client IP, Time, requested File Extension, Server IP, etc.
This is bead-and-butter stuff for developing, deploying, maintaining, and of course hacking WebApps/Servers.
I suggest you fiddle around with it on your own box, it’s fast and easy to set up (Apache/nginx) and a lot can be learned. Slap some arbitrary hostnames in /etc/hosts to 127.0.0.1 and hack away. Try to make a reverse proxy while you’re at it, ie. instead of setting different DocumentRoots, actually proxy the traffic to a different Port or IP. This is commonly used for WebApps other than PHP, and on most docker hosts to serve and load-balance different containers.
Thank you!
Great info and it makes sense thanks