HTB Guardian

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/2026/02/28/htb-guardian.html
• Blog Title: HTB: Guardian
• Suggested Section: Pentesting Web -> IDOR (add subsection on authenticated IDOR fuzzing at scale with ffuf + jq) and/or Generic Methodologies & Resources -> External Recon Methodology (vhost discovery via Host header fuzzing with ffuf)

🎯 Content Summary

HTB “Guardian” (Linux) – Web-to-root attack chain overview

The post documents a compromise of a PHP-based university portal on a Linux host. The full chain (as stated by the author) is:

1. Recon identifies vhost routing and discovers portal.guardian.htb.
2. Default credentials (GU1234) + predictable student IDs grant initial portal access.
3. An IDOR in the chat feature leaks other users’ conversations and is used to find Gitea cre...

   🔧 Technical Details

   Host-header vhost discovery: When a target redirects to a hostname (e.g., guardian.htb), it often uses name-based virtual hosting. Fuzz the Host header with ffuf (-H "Host: FUZZ.guardian.htb") and use -ac to auto-calibrate and spot response deltas (e.g., 302 vs baseline), then add discovered vhosts to /etc/hosts for resolution.

   Combinatorial brute force with ffuf using process substitution + markers: If usernames are structured (e.g., GU{000-999}{2020-2026}) and there’s a known/default password, generate wordlists on-the-fly using bash process substitution (-w <(seq -w 000 999):COUNT -w <(seq 2020 2026):YEAR) and place markers into POST data (username=GUCOUNTYEAR&password=GU1234). ffuf will try all combinations by default, and -mode can change that behavior.

   Authenticated IDOR enumeration + deduplication with jq: When an endp...

   🤖 Agent Actions

   Summary:

   1. Added authenticated, combinatorial IDOR enumeration workflow using ffuf + jq de-duplication in src/pentesting-web/idor.md.
   2. Added Host-header vhost discovery note with ffuf -ac to the external recon methodology and linked the blog in references.

   Files changed:

   1. src/pentesting-web/idor.md
   2. src/generic-methodologies-and-resources/external-recon-methodology/README.md

   Tests: Not run.

   ---

   This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/2026/02/28/htb-guardian.html

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> IDOR (add subsection on authenticated IDOR fuzzing at scale with ffuf + jq) and/or Generic Methodologies & Resources -> External Recon Methodology (vhost discovery via Host header fuzzing with ffuf)".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0