I am stuck for a few days now, and I’m don’t know what I’m doing wrong.
The question is:
Enumerate the target and find a vHost that contains flag No. 1. Submit the flag value as your answer (in the format HTB{DATA}).

When I’m doing FFUF on it, and want to go to for example blog.inlanefreight.htb than everything is the same webpage. The webpage from the Ubuntu Apache page.
When i go to HTTP://inlanefreight.htb than I got a flag 1, but when I fill it in, it said that it isn’t the write answer.

I added the findings from FFUF to /etc/hosts/ with the given target-ip.

Can anyone tell me what I’m doing wrong, please?

I am gonna help you because I received many helps here too. To get the correct results from ffuf, you need to ensure that the IP address after -u contains a http in front (eg In addition, the -H parameter will need to have NO http in front (eg: Host:

Also remove all your hosts entry related to HTB from /etc/hosts, if any. Should be working after this.
Btw your flag 1 is incorrect. You will know once you get the results from ffuf.


Thank you verymuch

HTB does not explain these modules very well. It is dissapointing.
FUZZing is the easiest way, but HTB, again, screws it up by giving a bad example of the command line.

ffuf -w ./vhosts -u -H "HOST:" -fs 612

of course you should insert the correct host and your target IP which will look something like this...

ffuf -w ./vhosts -u -H "HOST: FUZZ.inlanefreight.htb" -fs 612

but this still doesnt work even though it is HTB's example.

What they dont tell you is to totally eliminate the ./vhost and relace that with the given wordlist in the module. It will look like this...

ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u -H "HOST: FUZZ.inlanefreight.htb" -fs 612

remember, use your target ip for this. Mine is just an example. And the word list works.

Your output will show many lines. Look for the ones that appear "different"

Then use curl
curl -s -H "Host: ******.inlanefreight.htb"

The ***** is the name, for example...
curl -s -H "Host: accounts.inlanefreight.htb"

The rest is on you.

I think htb leaves something incomplete to make us solve ourselves and make experience. Anyway in the module there are all command that we need, if we pay attention to “MATCHER OPTIONS:” and “FILTER OPTIONS:” there are 3 options very useful, (-mr -mc -fs ). With -mc 200 we can match only “Status: 200”, with -mr “FLAG No. 1” we can match only the page with this word inside and last -fs skip all noise.

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt  -H "Host: FUZZ.inlanefreight.htb" -u -mr "FLAG No. 1" -fs 10918 -mc 200

Proper ffuf flags were something that I was missing for long.

1 Like

It seems like you are participating in a capture-the-flag (CTF) or penetration testing challenge and are trying to find specific flags on a target system.

another tip is to use filters as a range… I notice that errors has all the same size lets say 50 so you can use -fs 50-51 at the end to filter the errors and -mc 200 to show only the 200 ok responses.

Another thing is, if you use the HTB virtual machine from the web you should get the wordlist from /usr/share/dirb/wordlists/common.txt you have the first 3 flags from there… I found 5 vhost but one of the flags are not correct and the ‘d’ one is tricky.