Hi!
I am stuck for a few days now, and I’m don’t know what I’m doing wrong.
The question is:
Enumerate the target and find a vHost that contains flag No. 1. Submit the flag value as your answer (in the format HTB{DATA}).
When I’m doing FFUF on it, and want to go to for example blog.inlanefreight.htb than everything is the same webpage. The webpage from the Ubuntu Apache page.
When i go to HTTP://inlanefreight.htb than I got a flag 1, but when I fill it in, it said that it isn’t the write answer.
I added the findings from FFUF to /etc/hosts/ with the given target-ip.
I am gonna help you because I received many helps here too. To get the correct results from ffuf, you need to ensure that the IP address after -u contains a http in front (eg http://1.1.1.1). In addition, the -H parameter will need to have NO http in front (eg: Host: FUZZ.example.com).
Also remove all your hosts entry related to HTB from /etc/hosts, if any. Should be working after this.
Btw your flag 1 is incorrect. You will know once you get the results from ffuf.
HTB does not explain these modules very well. It is dissapointing.
FUZZing is the easiest way, but HTB, again, screws it up by giving a bad example of the command line.
ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612
of course you should insert the correct host and your target IP which will look something like this...
ffuf -w ./vhosts -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.htb" -fs 612
but this still doesnt work even though it is HTB's example.
What they dont tell you is to totally eliminate the ./vhost and relace that with the given wordlist in the module. It will look like this...
ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.htb" -fs 612
remember, use your target ip for this. Mine is just an example. And the word list works.
Your output will show many lines. Look for the ones that appear "different"
Then use curl
curl -s http://10.129.42.195 -H "Host: ******.inlanefreight.htb"
The ***** is the name, for example...
curl -s http://10.129.42.195 -H "Host: accounts.inlanefreight.htb"
The rest is on you.
I think htb leaves something incomplete to make us solve ourselves and make experience. Anyway in the module there are all command that we need, if we pay attention to “MATCHER OPTIONS:” and “FILTER OPTIONS:” there are 3 options very useful, (-mr -mc -fs ). With -mc 200 we can match only “Status: 200”, with -mr “FLAG No. 1” we can match only the page with this word inside and last -fs skip all noise.