Enumeration is where every great hack starts. Our Recon Badge gives you a realistic playground to master those first, crucial steps of an engagement. And you can access it for free. No credit card or fancy VM needed; all you need is a regular AWS account to access a protected S3 bucket.

Why Recon Beats Guesswork

Before you exploit, you need to explore. Reconnaissance uncovers the juicy bits that many devs accidentally leave exposed:

1. Forgotten robots.txt and security.txt entries that point to hidden paths
2. Info-leaking 404 pages and verbose headers
3. Directory listings that reveal source code and backups
4. Misconfigured TLS, DNS, and S3 buckets
5. Secrets buried in Git history, waiting for the right grep

Think of recon as the map you draw before picking the lock. Skip it and you stumble in the dark. Nail it and half the job is done.

What You Will Tackle Inside the Badge

The badge is split into bite-sized labs. Each lab unlocks the next, and every one gives you a flag so you always know when you nailed it. Below is a high-level tour; the exact flags stay secret until you dive in.

1. Classic Web Enumeration – harvest robots.txt, security.txt, custom 404 pages, directory listings, and hidden admin paths.
2. Virtual Host Shenanigans – swap hostnames for raw IPs, push your own Host header, and extract SANs from TLS certificates.
3. Visual Reconnaissance – sift through a fleet of hosts (0x00.a.hackycorp.com to 0x0f.a.hackycorp.com) to spot the page with a red key. Pro tip: feed the list to Aquatone for instant screenshots.
4. DNS Games – query TXT records, abuse AXFR to pull zones (even an int internal zone), and grab the BIND version with version.bind.
5. GitHub Intelligence – locate Hackycorp’s org, hunt dev names in commit history, scan branches, find deleted files, and spot “odd one out” email addresses.
6. CDN and S3 Treasure Hunt – pull stray key.txt files, exploit the “Any AWS user” quirk to access key2.txt, and read hard-coded tokens from bundled JavaScript.

Self-directed Challenge

Already feel confident with your reconnaissance skills? Skip the step-by-step instructions and go on a treasure hunt. Point your tools at hackycorp.com, dig into every service you can reach, and see how many badge flags you can capture unaided. Treat it like a real-world engagement, then compare your haul with the lab solutions to spot blind spots in your process.

What You Need (Spoiler: Almost Nothing)

You only need a personal AWS account with just enough permissions to access an S3 bucket you don't own.

Tools are flexible. We give examples with curl, openssl, ffuf, and git. Use Burp, Nuclei, or pure PowerShell if that is your flavor. Flags are agnostic.

Skills You Will Walk Away With

1. Rapid host and sub-domain discovery techniques
2. Smart directory and vhost brute-forcing
3. Fingerprinting stacks via headers and TLS metadata
4. DNS misconfiguration exploitation, including zone transfers
5. Practical Git trawling for secrets and context
6. S3 permission edge cases that bug bounty hunters love