if you already got the hash from the login page, decode it and do enumerate subdomains
Itâs the enumeration part that I canât seem to get to work.
I know what the subdomain is, but when I use gobuster vhost or ffuf I canât get any result, except when I put the subdomain in the /etc/hosts file - then I get a result
you need to put the shoppy.htb and the ip address first on the /etc/hosts before doing enumeration
I have shoppy.htb in the host file - but it doesnât work.
When I put .shoppy.htb in the hosts file, it works, but I am not supposed to have that in the host file because I shouldnât know it yet 
Okay, Iâm definitely stuck for 3 hours on the login part.
Can I PM someone because Iâm about to give up.
Followed lots of docs available on the internet about the subject, nothing work, did I miss something ?
You are welcome to pm me
1 Like
ITT: Nobody knows N#S##i
Even after reading the source code, I get why it would work in theory, but I canât even find documentation about the way this operator is written.
Classic case of how can I find the answer if I donât even know the questionâŚ
Also shows how poorly this technique/vector is documented and understood in comparison to the other well-established vector.
If any Expert cares to explain why the payload works, please DM me.
edit: as usual, 30 seconds after posting I found the answer
Now it makes sense why the string is interpreted and allows other language âtokensâ/operators.
I guess Iâm the âexpertâ now, DM me if you need to know why the bypass payload works.
2 Likes
Ey, sorry for the delayed answer.
I used a list called âbitquark-subdomains-top100000.txtâ It comes with SecList and it usr/share/wordlist/SecLists/Discovery/DNS.
Since then, i use this one and it always works.
Got the user flag by logging in as j****r via ssh, but it doesnât seem to work. Why?
Update: Rooted. The root flag doesnât work neither. : (
Same bruh
I use this one as well - still no result.
Only when I put the subdomain in the hosts file it works
WellâŚ
Now, after multiple attempts I got it to work by switching my vpn and using ffuf
it used:
gobuster vhost -w /path/to/bitquarkslist.txt -u shoppy.htb
and
ffuf -u http://shoppy.htb -w /path/to/bitquarkslist.txt -H âHost: FUZZ.shoppy.htbâ
Hope it works!
Guys help me. My gobuster vhost doesnt work. i know excatly what the subdomain is so i created a file only exists it. and finds only if i addthe full url in the wordlist( [email protected]) but doesnt find subdomain alone?? helpp
gobuster vhost -u shoppy.htb -w ./list.txt
mine doesnt find help me pls
only finds if i manually give the full path xxx.shoppy.htb
canât find just xxx as subdomain :((
gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u shoppy.htb
mmmm mine works both:
-u http://shoppy.htb
and -u shoppy.htb
Have you echo âIP shoppy.htbâ > tee -a /etc/hosts?
i dont know what can it be
I donât know why but the mat****** subdomain login page wonât load for me any clues are appreciated please
1 Like
I donât know the problem with gobuster but i was able to find the subdomain with fuff tool command for subdomain enum fuff -w wordlist -u domain_name -H âhttp://FUZZ.domain_nameâ
Rooted! 
Definitely itâs all about enumeration. Using Seclists itâs more than enough to crack the machine (at least for the user level).
PM if someone needs help
have you updated your hosts file?
10.10.11.180 shoppy.htb mat*******.shoppy.htb