I’m having quite a bit of difficulty with the Skills Assessment for Academy Module: Attacking Web Apps with Ffuf.
- I’ve discovered 3 subdomains under academy.htb
- I’ve discovered 3 extensions that are in use
- On two of the subdomains I’ve found a single directory
- On one of the two subdomains I’ve found a file under that directory.
But the question that asks: One of the pages you will identify should say ‘You
don’t have access!’. What is the full page URL? It doesn’t accept any form of the URL of the file that I’ve found.
- I’ve fuzzed the parameters for that file under that directory, and discovered 1
- I’ve tried to fuzz values for that parameter both using GET and POST and I’ve had no luck
??? I would greatly appreciate any guidance
It doesn’t accept any form of the URL of the file that I’ve found.
Try to use word “PORT” instead of the real port, ex. http://URL:PORT/directory/…
Figured it out.
So to fuzz all the subdomain pages at once, I’m using a for loop like this:
for sub in archive test faculty; do ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://:30862$sub.academy.htb/FUZZ -recursion -recursion-depth 1 -e .php,.phps,.php7 -v -t 200 -fs 287 -ic; done
But I’m curious if anyone knows if there is a more streamlined way to fuzz multiple subdomain pages at once?
thanks, that happened to me too
You could create a wordlist just for the subdomains you want to test OR you can just use
stdin for the same purpose, like this:
echo "test\narchive\nfaculty" | ffuf -w /dev/stdin:SUB -w directory-list-2.3-small.txt:FUZZ -u "http://SUB.academy.htb:$PORT/FUZZ" -recursion -recursion-depth 1 -e .php,.php7,.phps -ic -t 200 -fs 287,284
I have found this way to be kinda clean.
Of course, this is inefficient in the sense that not all of the subdomains share the same extensions. But it does the trick!
By the way, you can just use
- instead of
/dev/stdin. It is much cleaner, but I was not sure if the ffuf accepted that syntax