Academy Skills Assessment - Web Fuzzing

HTB Content Academy
1

I’m having quite a bit of difficulty with the Skills Assessment for Academy Module: Attacking Web Apps with Ffuf.

  • I’ve discovered 3 subdomains under academy.htb
  • I’ve discovered 3 extensions that are in use
  • On two of the subdomains I’ve found a single directory
  • On one of the two subdomains I’ve found a file under that directory.
    But the question that asks: One of the pages you will identify should say ‘You
    don’t have access!’. What is the full page URL? It doesn’t accept any form of the URL of the file that I’ve found.
  • I’ve fuzzed the parameters for that file under that directory, and discovered 1
    parameter
  • I’ve tried to fuzz values for that parameter both using GET and POST and I’ve had no luck

??? I would greatly appreciate any guidance

1 Like
2

It doesn’t accept any form of the URL of the file that I’ve found.

Try to use word “PORT” instead of the real port, ex. http://URL:PORT/directory/…

3 Likes
3

Sheehandustryn,
Figured it out.

4

So to fuzz all the subdomain pages at once, I’m using a for loop like this:

for sub in archive test faculty; do ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://:30862$sub.academy.htb/FUZZ -recursion -recursion-depth 1 -e .php,.phps,.php7 -v -t 200 -fs 287 -ic; done

But I’m curious if anyone knows if there is a more streamlined way to fuzz multiple subdomain pages at once?

5

thanks, that happened to me too

6

You could create a wordlist just for the subdomains you want to test OR you can just use stdin for the same purpose, like this:

echo "test\narchive\nfaculty" | ffuf -w /dev/stdin:SUB -w directory-list-2.3-small.txt:FUZZ -u "http://SUB.academy.htb:$PORT/FUZZ" -recursion -recursion-depth 1 -e .php,.php7,.phps -ic -t 200 -fs 287,284

I have found this way to be kinda clean.

Of course, this is inefficient in the sense that not all of the subdomains share the same extensions. But it does the trick!

1 Like
7

By the way, you can just use - instead of /dev/stdin. It is much cleaner, but I was not sure if the ffuf accepted that syntax :smile:

8

If you’re seeing this bump that thread count to 200!!! (-t 200) trust me itll be soooo much better, cut it down from about 50 min to like 15 while doing the recursion step.

9

Spoiler - I’m trying to find the right parameters and it’s not finding anything, I’m not sure whether this is normal and it’s getting annoying because I’m including all the right flags taught in the module.

Screenshot 2024-06-16 at 00.40.14
Screenshot 2024-06-16 at 00.40.141633×680 68.9 KB

10

Solved. By chance I decided to filter out the words and ended up filtering out the solution… Simply filtering out for the Size does the trick…