HTB - Academy - Attacking Web Applications with FFuF name resolution issues

I am currently doing the Attacking Web Applications with ffuf module in the academy working in pwnbox. I got through the sub-directory parts without issue. I could easily fuzz any of the IP/Ports, but when i get to the DNS section for subdomain fuzzing, using https://hackthebox.eu as an example, I cannot get it to work. ffuf completely errors out every time. I’ve copied and pasted the example script from the module into my shell and it still fails. Running ffuf with the verbose switch doesn’t do anything, because i don’t believe it is reaching the host at all.

Steps I’ve taken:

  1. Added IP address for hackthebox.eu to etc hosts
  2. Tried to ping hackthebox.eu, google, 8.8.8.8. all fail.
  3. traceroute fails to every site and IP address.
  4. ifconfig/ip a shows tun0 connected to 10.10.14.45
  5. if I go back in the module an load a machine, i can connect to that without issue. If i resolve it in etc hosts to academy.htb that works fine too.
  6. confirmed that 1.1.1.1 and 8.8.8.8 are in etc resolv.config
  7. I can use the host command, i can use the dig command without issues.
  8. Restarted my local PC just for kicks, no luck.

I’ve scoured the forums and google and can’t seem to find an answer to this, and to add insult to injury, if i try the suggested ffuf scan outside of pwnbox/outside of vpn the waf throttles me to oblivion so i can’t even get the subdomain that way.

I’m sure its either probably an issue with pwnbox or something really dumb that i’m missing, but i am frustrated and just want to continue the lesson.

Adding the debug-log output to ffuf i can now see that https://hackthebox.eu is being resulved as academy.htb and failing. I’m not sure if this is an error or by design for the course, just something i’ve no noticed.

edit: nevermind, it is very late and my target in this case was academy.htb. Lesson to always look when upscrolling your shell.

Still can’t fuzz hackthebox though. No idea why its not resolving names. Everything is set right.

@Jier said:

Still can’t fuzz hackthebox though. No idea why its not resolving names. Everything is set right.

It’s a little bit more complex than it might appear.

Start with being clear on what “It” is in this context. The only thing which resolves names in this context is your hosts file. That appears to be working.

So when you add an IP address to your hosts file like:
10.0.0.1 hackthebox.eu

it means every web request to http://hackthebox.eu (for example) will go to http://10.0.0.1. When the server gets the packet, it will contain a hosts header telling the server what website you are requesting. If the server recognises the host you have requested, it returns content. If it doesn’t it can do something else (often user configured) - ranging from simply dropping the packets to sending you other content.

This is how we can get the following to work:

10.0.0.1 hackthebox.eu
10.0.0.1 hackthebox.ue
10.0.0.1 hackboxex.ai
10.0.0.1 www.hackthebox.eu
10.0.0.1 imaginary.hackthebox.eu

They all go to the same IP address and the server responds based on the host header.

Now, you are sending packets to a server that redirects requests to hackthebox.eu to academy.htb. Everything is working as intended.

I’m experiencing the same issue in the same section of the module. Since the vpn’s key download feature has been removed from the academy, I’m using the pwnbox and I really don’t know what I have to do to resolve this dns resolution issue: I tried to retrive the IP address of ‘hackthebox.eu’ and I noticed it changes very often; anyway i’ve added those IP’s to the '/tec/hosts