In this module, we explore the essential techniques and tools for fuzzing web applications, an essential practice in cybersecurity for identifying hidden vulnerabilities and strengthening web application security.
Web Fuzzing - Skills Assessment
To complete this Skills Assessment, you will need to apply the multitude of tools and techniques showcased throughout this module. All fuzzing can be completed using the common.txt
After completing all steps in the assessment, you will be presented with a page that contains a flag in the format of HTB{…}. What is that flag?
I started by doing subdomain fuzzing:┌──(alan㉿kali)-[~/Documents/]└─$ ffuf -u http://FUZZ.SERVER_IP:PORT -w common.txt
No results were found.
I continued with recursive path fuzzing:┌──(alan㉿kali)-[~/Documents/]└─$ ffuf -u http://SERVER_IP:PORT/FUZZ -w common.txt
We get:
- .htacces
- .hta
- .htpasswd
- admin
- admin/index.php
- admin/panel.php
After exploring a bit both results, we find that the panel.php has endpoints.
admin/panel.php?accessID=
┌──(alan㉿kali)-[~/Documents/]└─$ ffuf -u http://SERVER_IP:PORT/admin/panel.php?accessID=FUZZ -w common.txt
admin/panel.php?accessID=
REDACTED
There we are pointed to fuzzing_fun.htb
Welcome to fuzzing_fun.htb! Your next starting point is in the godeep folder - but it might be on this vhost, it might not, who knows…
We add that one to /etc/hosts
Then I tried:┌──(alan㉿kali)-[~/Documents/]└─$ ffuf -u http://fuzzing_fun.htb:42084/godeep/FUZZ -w common.txt -v -recursion -recursion-depth
No results
Next I went with┌──(alan㉿kali)-[~/Documents/]└─$ ffuf -w common.txt:FUZZ -u http://fuzzing_fun.htb:42084/ -H 'Host: FUZZ.fuzzing_fun.htb' -fc 403
We get the result:
hidden
Added the hidden subdomain to the hosts file and started path fuzzing again:
┌──(alan㉿kali)-[~/Documents/]└─$ ffuf -u http://hidden.fuzzing_fun.htb:42084/godeep/FUZZ -w common.txt -v --recursion --recursion-depth 4
There I found the flag.