Attacking web applications with ffuf

Hi, I’ve been stuck on portion 3 of the attacking applications with fuzz for awhile now & was wondering if someone could tell me what I’ve done wrong.

The question is: “Try to use what you learned in this section to fuzz the ‘/blog’ directory and find all pages. One of them should contain a flag. What is the flag?”

I’ve tried:

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://139.59.181.223:30246/blog/FUZZ.php

and

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://139.59.181.223:30246/blog/indexFUZZ

both of which didn’t yield any results to get me a flag. I’m wondering what it is I’m doing wrong, as I’ve re-read the entire lesson and still I remain unaware as to how I’m supposed to get anywhere.

Any tips in the right direction will be much appreciated!

I used something similar to this. Maybe throw in the -ic to get rid of blank lines, although they shouldn’t break your whole command. Feel free to DM me with any errors you get after using it, I can probably help you troubleshoot them.

Anyone else experiencing very low speeds on this? Ffuf is only doing about 50-60 req/sec for me no matter how many times I reset the box.

Been stuck on the recursive section because the box times out before FFuf completes…

(Also experiencing a lot of lag on the HTB Academy website in general, no issue on other sites).

I swear this module is broken, I can’t get past the “page fuzzing” portion at all because of various different errors keep occuring despite all my attempts being complete and valid.

A tip would be to proxy the requests through burp to see the requests being made by ffuf, so it’s easy to debug.

Hi everyone! I’ve been stuck on the skills assessment the entire day due to extremely low request rate with Ffuf, approx 70 req/sec. Does anyone know what might be wrong?

I run a Kali VM on Windows 11. Have tried turning of my AV (Bitdefender) as well as my Mullvad VPN (both AV and VPN run on the Windows host). Bitdefender wasn’t turned of but all protections disabled.

PS. I get way better speeds from the pwnbox but don’t really want to use that. And the parameter and value fuzzing is super fast.

Hello, everyone. I just did the skills assessment. This one really relies on connection speed and choosing the right wordlist so it can be frustrating (it was for me at least haha). I took careful notes so if anyone wants help, send me a pm.

Good morning everyone.
I developed a small script based on this module that will help you finish it quickly and in the best way.
you can find it on github
looking for automatic ffufer
hope you like it let me know.
(I hope I haven’t violated any forum rules)
A thousand thanks