Help - ATTACKING WEB APPLICATIONS WITH FFUF

Hi, i’m stuck in a question “One of the pages you will identify should say ‘You don’t have access!’. What is the full page URL?” i discover the virtual host and the folder but i dont see what is the file i use application as ffuf wfuzz dirbuster gobuster but i cant resolve this; anybody can help me.

same problem, did you find the issue @klausneil ?

from the directory you found use /FUZZextension don’t use the -e option for ffuf
replace extension with whatever extension you’re testing for.
you’ll find what you need that way.

use directory-list-2.3-medium.txt

1 Like

got it, thanks

I was just about to make a new post regarding this question but figured it out as I was making the post -
After multiple attempts, I wasn’t able to enumerate the page name with the -e switch, even with the correct extension listed. Haven’t figured out why yet. Nonetheless, by manually performing the fuzz on the appropriate resource, I was able to see the page they were referring to. However, this started my biggest challenge, which was entering the answer as they preferred it.

After a successful curl and receiving the described text, I copy/pasted the URL into the answer section only to be met with an incorrect response. Thinking there may be another page, my pursuit continued. Hours later, I clicked on the HINT and realized the format they wanted it in. Argh!!!

1 Like

http://faculty.academy.htb:32451/courses/linux-security.php7 i am stuck too here can help me please

try replacing your port number with the word PORT in your answer

7 Likes

Thanks mate, this was very unintuitive :slight_smile: i dont want to have to click “Hint”

This is some crazy ■■■■… HTB just likes making life harder. The questions, hints and expected answer format takes way longer than completing the module itself. :hot_face: :rage:

You sir, are a lifesaver. Thank you

Here are some tips to help you find it:

  1. Think like a detective: What clues might the “No Trespassing” page have? Is there a specific error message? Does it mention any file names? Any unusual words or phrases?
  2. Double-check your tools: Make sure you’re using the right settings and commands for your tools. Sometimes a typo or a missing flag can make all the difference.
  3. Try a different approach: Maybe the “No Trespassing” page isn’t hidden behind a specific file. Could it be accessed through a different URL parameter or a hidden form?
  4. Ask for help: Don’t be afraid to reach out to online communities or forums. There are plenty of friendly hackers out there who are happy to lend a hand.

Remember, the key is to be patient, persistent, and creative. Think outside the box, experiment, and don’t give up! Finding that “No Trespassing” page is just a matter of time and a bit of detective work.

this helped