WEB FUZZING Skills Assessment

Resertie · August 14, 2024, 5:45pm

Same, I tried ffuf with this command

ffuf -w /home/resertie/Desktop/Scripts/SecLists/Discovery/Web-Content/common.txt -u http://academy.htb:41523/admin/panel.php?accessID=FUZZ -fc 200

I don’t get anything

h4ck3r28 · August 15, 2024, 8:35am

ffuf -u http://94.237.59.199:36870/admin/panel.php?accessID=FUZZ -ic -w /usr/share/seclists/Discovery/Web-Content/common.txt -fs 58

    /'___\  /'___\           /'___\       
   /\ \__/ /\ \__/  __  __  /\ \__/       
   \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
    \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
     \ \_\   \ \_\  \ \____/  \ \_\       
      \/_/    \/_/   \/___/    \/_/       

   v2.1.0-dev

:: Method : GET
:: URL : http://94.237.59.199:36870/admin/panel.php?accessID=FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 58

getaccess [Status: 200, Size: 68, Words: 12, Lines: 1, Duration: 147ms]
:: Progress: [4734/4734] :: Job [1/1] :: 267 req/sec :: Duration: [0:00:20] :: Errors: 0 ::

sinusQ · August 19, 2024, 8:03pm

Hi,
is it possible that this module/this skill assessment is currently being edited? I can’t fuzz /admin/panel.php but i found /admin/index.php

vHost or subdomain fuzzing didnt lead to anything…

Egxie · August 22, 2024, 12:26pm

Did you solve it yet? am stuck on the same issue here

4ggg · September 1, 2024, 4:11am

this is the full URL

http://hidden.fuzzing_fun.htb:PORT/godeep/stoneedge/bbclone/typo3/

remember to add hidden.fuzzing_fun.htb in /etc/hosts

TrinityW4sH3r3 · September 5, 2024, 4:55am

Quite simple, the hint was that the folders might be on fuzzing_fun.htb “or not” meaning there is a vhost subdomain somewhere.

The key difference between VHosts and sub-domains is that a VHost is basically a ‘sub-domain’ served on the same server and has the same IP, such that a single IP could be serving two or more different websites.

so in this example running this command will do the trick:

Command Line

ffuf -w SecLists/Discovery/Web-Content/common.txt:FUZZ -u http://fuzzing_fun.htb:PORT -H 'Host: FUZZ.fuzzing_fun.htb'
this will FUZZ any subdomains within the same IP. Be sure to add the found subdomains to your /etc/hosts file!

Hope this helps!

venom-pwn · September 5, 2024, 6:15pm

This is the correct answer : gobuster fuzz -u http://IP:PORT/admin/FUZZ.html -w WordlistPath/common.txt | grep -F “[Status=200]”

change the IP / PORT and the path to the wordlist

Topic		Replies	Views
Attacking web applications with ffuf Academy help	8	2274	April 6, 2024
NFORMATION GATHERING - Virtual Hosts Tutorials	13	8080	September 20, 2024
Academy - Attacking Web App with FFuF Off-topic ffuf	14	3946	July 4, 2023
Ffuf keeps making network drop out - Web Fuzzing Skills Assessment Academy network-troubleshoot	4	122	August 23, 2024
WEB FUZZING Skills Assessment Academy noob , academy	2	116	August 28, 2024

WEB FUZZING Skills Assessment

Related topics