I am stuck for a few days now, and I’m don’t know what I’m doing wrong.
The question is:
Enumerate the target and find a vHost that contains flag No. 1. Submit the flag value as your answer (in the format HTB{DATA}).

When I’m doing FFUF on it, and want to go to for example blog.inlanefreight.htb than everything is the same webpage. The webpage from the Ubuntu Apache page.
When i go to HTTP://inlanefreight.htb than I got a flag 1, but when I fill it in, it said that it isn’t the write answer.

I added the findings from FFUF to /etc/hosts/ with the given target-ip.

Can anyone tell me what I’m doing wrong, please?

I am gonna help you because I received many helps here too. To get the correct results from ffuf, you need to ensure that the IP address after -u contains a http in front (eg In addition, the -H parameter will need to have NO http in front (eg: Host:

Also remove all your hosts entry related to HTB from /etc/hosts, if any. Should be working after this.
Btw your flag 1 is incorrect. You will know once you get the results from ffuf.


Thank you verymuch

HTB does not explain these modules very well. It is dissapointing.
FUZZing is the easiest way, but HTB, again, screws it up by giving a bad example of the command line.

ffuf -w ./vhosts -u -H "HOST:" -fs 612

of course you should insert the correct host and your target IP which will look something like this...

ffuf -w ./vhosts -u -H "HOST: FUZZ.inlanefreight.htb" -fs 612

but this still doesnt work even though it is HTB's example.

What they dont tell you is to totally eliminate the ./vhost and relace that with the given wordlist in the module. It will look like this...

ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u -H "HOST: FUZZ.inlanefreight.htb" -fs 612

remember, use your target ip for this. Mine is just an example. And the word list works.

Your output will show many lines. Look for the ones that appear "different"

Then use curl
curl -s -H "Host: ******.inlanefreight.htb"

The ***** is the name, for example...
curl -s -H "Host: accounts.inlanefreight.htb"

The rest is on you.

I think htb leaves something incomplete to make us solve ourselves and make experience. Anyway in the module there are all command that we need, if we pay attention to “MATCHER OPTIONS:” and “FILTER OPTIONS:” there are 3 options very useful, (-mr -mc -fs ). With -mc 200 we can match only “Status: 200”, with -mr “FLAG No. 1” we can match only the page with this word inside and last -fs skip all noise.

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt  -H "Host: FUZZ.inlanefreight.htb" -u -mr "FLAG No. 1" -fs 10918 -mc 200

Proper ffuf flags were something that I was missing for long.

1 Like

It seems like you are participating in a capture-the-flag (CTF) or penetration testing challenge and are trying to find specific flags on a target system.

another tip is to use filters as a range… I notice that errors has all the same size lets say 50 so you can use -fs 50-51 at the end to filter the errors and -mc 200 to show only the 200 ok responses.

Another thing is, if you use the HTB virtual machine from the web you should get the wordlist from /usr/share/dirb/wordlists/common.txt you have the first 3 flags from there… I found 5 vhost but one of the flags are not correct and the ‘d’ one is tricky.

I’m stuck on the last one. Any help? I’ve already tried playing with the filters but i dont come up with anything new.

First of all the module does not teach you extensively more about it. You have to research a little.
this lesson is to teach you about subdomain or subdirectory in a website. so you can use gobuster also.
Another thing to note is dont add -fs first. What -fs does is it select the common size of all the namelist you use on ffuf. so if you see common size in namelist in ffuf its gonna be some number(status, size, words, lines, duration) you will see all. But -fs is for size which means it is to get common size.

I am writing this for myself and others so its gonna be easy for them. Dont look for answer rightaway.

HTB gives us enough to overcome the module, and well, seeing that they have already provided the answer above, I feel free to express how I solved it. So, HTB gives us the following subdomain: www.inlanefreight.htb. The first thing we would need to do is enumerate the domain inlanefreight.htb:

curl -s inlanefreight.htb

With this, we obtain the first flag. There is another way to obtain this flag and the following ones. If we interact by fuzzing the vhosts, we find that it gives us a status code of 200. Even when trying with vhosts that would be very unlikely to exist, such as ffmeshfetGFG.inlanefreight.htb, it still returns 200. One thing I noticed is that the “Content-Length” for non-existent Vhosts is always 10918. Using ffuf with this information, the command looks like this:

ffuf -w ./vhost -H "Host: FUZZ.inlanefreight.htb" -u -fs 10918

With a bit of patience, we will apply a curl to each discovered VHOST, obtaining the flag.

1 Like

All the flags can be found in same way

First Step

  • use ffuf with different list from SecLits/Discovery/DNS/
  • each time you do with a list then do the following and repeat with the next list from first step
ffuf -w /path/to/namelists -u -H "HOST: FUZZ.inlanefreight.htb" -fs 612 > domains.txt

Seccond Step

  • cat the domains.txt and find the size that is for most the same (mostly that is default size)
  • grep verses default size items (for example 10323) yours could be different
cat domains.txt | grep -v 10323

Third Step

curl -s -H "HOST: SudDomainFromGrepCommand.inlanefreight.htb" | grep -b5 -a5  "HTB"

Here’s how to fuzz it. Just adjust the vHost according to your needs.
ffuf -w ./vhosts -u -H “HOST: FUZZ.inlanefreight.htb” -fs 10198