Skills Assessment — Web Fuzzing Module — HTB Academy Walkthrough
TIER 0 MODULE: WEB FUZZING
SECTION: Skills Assessment
Please open your pwnbox or connect to the vpn in order to complete the tasks.
If you are not registered in HTB Academy, then use this link to register now: https://referral.hackthebox.com/mzxKOJt
1. After completing all steps in the assessment, you will be presented with a page that contains a flag in the format of HTB{…}. What is that flag?
Please read the instructions from the HTB Academy for this section:
- Multiple techniques are used. i.e (Vhost, Directory or File fuzzing)
- The only wordlist used is
common.txtlocated inseclist/Discovery/Web-Content. - If you don’t have
seclists, download it by:
git clone https://github.com/danielmiessler/SecListsWith all prerequisites completed, let’s start the attack.
—
First of all, conduct a directory fuzzing attack:
ffuf -w <path-to-wordlist/common.txt> -u http://<target-ip>:<port>/FUZZ
Once we found the admin directory, we have to fuzz it again.
ffuf -w <path-to-wordlist/common.txt> -u http://<target-ip>:<port>/admin/FUZZ⚠️ If you fuzz the directories again nothing special would be found, try fuzzing for the files.
ffuf -w <path-to-wordlist/common.txt> -u http://<target-ip>:<port>/admin/FUZZ -e .php,.html
On index.php it shows “Access Denied”. But on panel.php we find something.
It says “Invalid parameter, please ensure accessID is set correctly” which means it need an ID. Here parameter fuzzing come into play.
Change the URL in ffuf to:
ffuf -w <path-to-wordlist/common.txt> -u http://<target-ip>:<port>/admin/panel.php?accessID=FUZZ -fs 58There are so many responses with Size: 58 so we filtered out them with the -fs 58 flag.
After fuzzing, we found a value of getaccess. Check it.
curl <target-ip>:<port>/admin/panel.php?accessID=getaccessAgain, we found some instructions which says “Head on over to the fuzzing_fun.htb vhost for some more fuzzing fun!”.
Add this into your /etc/hosts file.
echo “<target-ip> fuzzing_fun.htb” | sudo tee -a /etc/hostsNow check that URL for more instructions.
curl http://fuzzing_fun.htb:<port>It says “Your next starting point is in the godeep folder — but it might be on this vhost, it might not, who knows…”. Which guides us to Vhost Fuzzing to find the “godeep” directory.
First verify if the godeep directory is present on the current host, by visiting the URL. But it is not found!
To fuzz for the Vhost, we have to fuzz the Host header.
ffuf -w <path-to-wordlist/common.txt> -u http://fuzzing_fun.htb:<port> -H 'Host: FUZZ.fuzzing_fun.htb' -fc 403After fuzzing we found a Vhost named hidden.
Add this Vhost to the /etc/hosts file as well.
echo “<target-ip> hidden.fuzzing_fun.htb” | sudo tee -a /etc/hostsNow start the fuzzing on the new Vhost, with -recursion flag.
ffuf -w <path-to-wordlist/common.txt> -u http://hidden.fuzzing_fun.htb:<port>/godeep/FUZZ -recursion -fc 403 -v-v-> Verbose output, displays full links instead of words.-fc 403-> Filters out all responses with status403.-recursion-> Recursively fuzz for directories.
As it recursively fuzz the directory structure, the last result gives us the flag.
Check this URL for the flag.
curl http://hidden.fuzzing_fun.htb:<port>/godeep/stoneedge/bbclone/typo3/index.php Answer: HTB{w3b_fuzz1ng_sk1lls}
☣️ HAPPY ETHICAL HACKING ☣️
DISCLAIMER: THIS CONTENT DOES NOT BELONG TO ME, I AM JUST WRITING A WALK-THROUGH OF A FREE MODULE OF HACK THE BOX ACADEMY. (WRITING WALKTHROUGHS OF FREE MODULES IS PERMITTED BY HTB ACADEMY)
