Useful CTF Commands: Gobuster

August 04, 2025

While helping new CTF (Capture the Flag) players with their first challenges, I noticed that it would be helpful to have an overview of commonly used commands and tools. These can significantly ease the process of solving CTF challenges. That’s why I decided to start a new blog article series called “Useful CTF Commands”, where I introduce useful tools along with ready-to-use examples — so you don’t have to memorize every single parameter.

In this first post, I’ll introduce gobuster.

GoBuster

Gobuster is a powerful tool for brute-forcing and discovering hidden files, directories, virtual hosts, DNS entries, and more. I usually use it within the first few minutes of a web challenge on platforms like Hack The Box to enumerate virtual hosts (i.e., subdomains) of a target webserver.

For example, if the machine is called example, the base domain would typically be example.htb. Gobuster can then be used to discover subdomains like grafana.example.htb, wiki.example.htb, etc.

For this, I use the subdomain wordlist provided by SecLists:
/usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt

VHost Bruteforce Example

$ gobuster vhost --wordlist /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt --url 'http://example.htb' --append-domain -k --random-agent
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             https://example.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
[+] User Agent:      Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.634.0 Safari/534.16
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: www.example.htb Status: 200 [Size: 13993]
Found: webmail.example.htb Status: 200 [Size: 5445]
Found: cloud.example.htb Status: 302 [Size: 0] [--> https://cloud.example.htb/login]
Found: autodiscover.example.htb Status: 404 [Size: 548]
Progress: 214 / 100001 (0.21%)

Option explanation:

--wordlist       Specifies the wordlist to use
--url            Base URL; subdomains are appended to this
--append-domain  Automatically appends the domain to each word in the wordlist
-k               Ignores TLS certificate errors (useful for CTFs, not recommended in production!)
--random-agent   Uses a random User-Agent string for each request

Installation under Kali Linux

You can install the SecLists package with:

$ apt-get install gobuster seclists