Written by students who passed Immediately available after payment Read online or as PDF Wrong document? Swap it for free 4.6 TrustPilot
logo-home
Exam (elaborations)

Hack The Box: Attacking Enterprise Networks - Module 163 .

Rating
-
Sold
-
Pages
109
Grade
A+
Uploaded on
27-05-2026
Written in
2025/2026

Attacking Enterprise Networks: Link to challenge: (log in required) Class: Tier II | Medium | Offensive Before we begin: throughout the module we will need to configure our pwnbox /etc/hosts File by adding the line: [target machine IP] [required vhosts] To link the vhost to the target IP address. For example: It can be done with the command sudo nano /etc/hosts then pasting the configuration modification, and save and exit with ctrl+x. Throughout the module this process would be called ‘initial configuration’ External Testing External Information Gathering: Question: Perform a banner grab of the services listening on the target host and find a non-standard service banner. Submit the name as your answer (format: word_word_word) Answer: 1337_HTB_DNS Method: First, we will need do initial configuration on vhost ‘’ and the target IP. Now lets run nmap to check for any non-standard services, we will use the command: sudo nmap --open -p 1-10000 where our target of course is ‘’ (which we linked to the target machine IP), scanning for the first 1000 ports, displaying what of them are open: Lets inspect it further with the command: sudo nmap --open -p 1-10000 -A -oA inlanefreight_ept_tcp_all_svc saving the output in an output file called ‘inlanefreight_ept_tcp_all_svc’, as the output result is way way too much long and noicy, here is a small sample of it: Running ls we have those 3 formats of the output file Lets inspect further the ‘gnmap’ ( ) We will use the command: egrep -v "^#|Status: Up" inlanefreight_ept_tcp_all_ | cut -d ' ' -f4- | tr ',' 'n' | sed -e 's/^[ t]*//' | awk -F '/' '{print $7}' | grep -v "^$" | sort | uniq -c | sort - k 1 -nr And we have the answer here as ‘unknown banner’. Question: Perform a DNS Zone Transfer against the target and find a flag. Submit the flag value as your answer (flag format: HTB{ }). Answer: HTB{DNs_ZOn3_Tr@nsf3r} Method: we will run zone transfer on the domain using the command: dig axfr @ We can see the flag under the subdomain ‘’ Question: What is the FQDN of the associated subdomain? Answer: Method: see above. Question: Perform vhost discovery. What additional vhost exists? (one word) Answer: monitoring Method: we will run the command ffuf -w /usr/share/seclists/Discovery/DNS/:FUZZ -u to use ‘ffuf’ tool to brute force subdomains, using the wordlist which is built in, in the box in the path ‘/usr/share/seclists/Discovery/DNS/’: The subdomain that was found and is not detected in the zone transfer is ‘monitoring’. Service Enumeration & Exploitation: Question: Enumerate the accessible services and find a flag. Submit the flag value as your answer (flag format: HTB{ }). Answer: HTB{0eb0ab788df18c3115ac43b1c06ae6c4} Method: we will check the ftp service, we will run the command: ftp target-IP and on the credentials we will enter ‘anonymous’ for username and blank password: Running ‘ls’ we can see there is , lets download it to the pwnbox machine with the command: get Lets exit the ftp server, and cat the flag we had just downloaded: Web Enumeration & Exploitation: Question: Use the IDOR vulnerability to find a flag. Submit the flag value as your answer (flag format: HTB{}). Answer: HTB{8f40ecf17ffa5728c159e46} Method: First, we will need do initial configuration on vhost ‘’ and the target IP. When its done, lets enter in the pwnbox browser the URL: ‘’ lets create an account: Then lets login to it

Show more Read less
Institution
Hack The Box
Course
Hack The Box

Content preview

Attacking Enterprise Networks:
Link to challenge: https://academy.hackthebox.com/module/163
(log in required)
Class: Tier II | Medium | Offensive


Before we begin: throughout the module we will need to configure our
pwnbox /etc/hosts File by adding the line:
[target machine IP] [required vhosts]
To link the vhost to the target IP address. For example:



It can be done with the command
sudo nano /etc/hosts
then pasting the configuration modification, and save and exit with ctrl+x.
Throughout the module this process would be called ‘initial configuration’

,External Testing
External Information Gathering:
Question: Perform a banner grab of the services listening on the target host
and find a non-standard service banner. Submit the name as your answer
(format: word_word_word)
Answer: 1337_HTB_DNS
Method: First, we will need do initial configuration on vhost
‘inlanefreight.local’ and the target IP.


Now lets run nmap to check for any non-standard services, we will use the
command:
sudo nmap --open inlanefreight.local -p 1-10000
where our target of course is ‘inlanefreight.local’ (which we linked to the target
machine IP), scanning for the first 1000 ports, displaying what of them are
open:




Lets inspect it further with the command:
sudo nmap inlanefreight.local --open -p 1-10000 -A -oA
inlanefreight_ept_tcp_all_svc
saving the output in an output file called ‘inlanefreight_ept_tcp_all_svc’, as the
output result is way way too much long and noicy, here is a small sample of it:

,Running
ls
we have those 3 formats of the output file




Lets inspect further the ‘gnmap’ (




)
We will use the command:
egrep -v "^#|Status: Up" inlanefreight_ept_tcp_all_svc.gnmap
| cut -d ' ' -f4- | tr ',' '\n' | sed -e 's/^[ \t]*//' | awk
-F '/' '{print $7}' | grep -v "^$" | sort | uniq -c | sort -
k 1 -nr




And we have the answer here as ‘unknown banner’.

,Question: Perform a DNS Zone Transfer against the target and find a flag.
Submit the flag value as your answer (flag format: HTB{ }).
Answer: HTB{DNs_ZOn3_Tr@nsf3r}
Method: we will run zone transfer on the domain using the command:
dig axfr inlanefreight.local @inlanefreight.local




We can see the flag under the subdomain ‘flag.inlanefreight.local’


Question: What is the FQDN of the associated subdomain?
Answer: flag.inlanefreight.local
Method: see above.


Question: Perform vhost discovery. What additional vhost exists? (one word)
Answer: monitoring
Method: we will run the command
ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt:FUZZ
-u http://inlanefreight.local/ -H
'Host:FUZZ.inlanefreight.local' -fs 15157
to use ‘ffuf’ tool to brute force subdomains, using the wordlist namelist.txt
which is built in, in the box in the path
‘/usr/share/seclists/Discovery/DNS/namelist.txt’:

,The subdomain that was found and is not detected in the zone transfer is
‘monitoring’.


Service Enumeration & Exploitation:
Question: Enumerate the accessible services and find a flag. Submit the flag
value as your answer (flag format: HTB{ }).
Answer: HTB{0eb0ab788df18c3115ac43b1c06ae6c4}
Method: we will check the ftp service, we will run the command:
ftp <target-IP>
and on the credentials we will enter ‘anonymous’ for username and blank
password:

,Running ‘ls’ we can see there is flag.txt, lets download it to the pwnbox
machine with the command:
get flag.txt




Lets exit the ftp server, and cat the flag we had just downloaded:

,Web Enumeration & Exploitation:
Question: Use the IDOR vulnerability to find a flag. Submit the flag value as
your answer (flag format: HTB{}).
Answer: HTB{8f40ecf17f681612246fa5728c159e46}
Method: First, we will need do initial configuration on vhost
‘careers.inlanefreight.local’ and the target IP.
When its done, lets enter in the pwnbox browser the URL:
‘http://careers.inlanefreight.local’




lets create an account:




Then lets login to it

,And now when are logged in:




Here are the main dashboard of our user, pay attention that our user was
assigned the ‘id’ parameter of ‘9’.
Now – IDOR attack means ‘Insecure Direct Object Reference’, so lets try to
change the ID value to something else.. lets say 1:




We got the job list of another user! (note, it will not work without registering
first to our own user).
After some trial and error, lets try id=4:

,Question: Exploit the HTTP verb tampering vulnerability to find a flag. Submit
the flag value as your answer (flag format: HTB{}).
Answer: HTB{57c7f6d939eeda90aa1488b15617b9fa}
Method: First, we will need do initial configuration on vhost
‘dev.inlanefreight.local’ and the target IP.


Now, lets use ‘gobuster’ to enumerate the domain for pages, we will use the
wordlist ‘common.txt’ in ‘/usr/share/seclists/Discovery/Web-
Content/common.txt’ built in in the pwnbox.
We will use the command:
gobuster dir -u http://dev.inlanefreight.local -w
/usr/share/seclists/Discovery/Web-Content/common.txt -x .php
-t 300
where dev.inlanefreight.local is our vhost of course:




*
*

, Lets attempt to enter the ‘upload.php’ page, the status code is 200 so we
should succeed:




We got ‘403 forbidden’ response, which contradict the gobuster ‘upload.php’
status code ‘200’ response.
We need to examine the page further.
Lets use the web investigation and analysis tool ‘burpsuite’:
burpsuite
when entering, a burpsuite window will open, select ‘next’ and ‘start’ until we
see the burpsuite main dashboard:




Lets go to ‘proxy’  ‘open browser:

Written for

Institution
Hack The Box
Course
Hack The Box

Document information

Uploaded on
May 27, 2026
Number of pages
109
Written in
2025/2026
Type
Exam (elaborations)
Contains
Questions & answers

Subjects

$30.39
Get access to the full document:

Wrong document? Swap it for free Within 14 days of purchase and before downloading, you can choose a different document. You can simply spend the amount again.
Written by students who passed
Immediately available after payment
Read online or as PDF

Get to know the seller

Seller avatar
Reputation scores are based on the amount of documents a seller has sold for a fee and the reviews they have received for those documents. There are three levels: Bronze, Silver and Gold. The better the reputation, the more your can rely on the quality of the sellers work.
Scholarfriends University Of Arizona
View profile
Follow You need to be logged in order to follow users or courses
Sold
731
Member since
8 year
Number of followers
647
Documents
24
Last sold
5 year ago
Welcome for all notes and test banks.

Welcome for all notes, exam guides, and test banks among others. Feel free to contact me for custom and dedicated service.

3.8

19 reviews

5
9
4
4
3
2
2
2
1
2

Why students choose Stuvia

Created by fellow students, verified by reviews

Quality you can trust: written by students who passed their tests and reviewed by others who've used these notes.

Didn't get what you expected? Choose another document

No worries! You can instantly pick a different document that better fits what you're looking for.

Pay as you like, start learning right away

No subscription, no commitments. Pay the way you're used to via credit card and download your PDF document instantly.

Student with book image

“Bought, downloaded, and aced it. It really can be that simple.”

Alisha Student

Working on your references?

Create accurate citations in APA, MLA and Harvard with our free citation generator.

Working on your references?

Frequently asked questions