Validating Findings — Web Fuzzing Module — HTB Walkthrough
1 min readSep 9, 2024
TIER 0 MODULE: WEB FUZZING
SECTION: Validating Findings
Please open your pwnbox or connect to the vpn in order to complete the tasks.
If you are not registered in HTB Academy, then use this link to register now: https://referral.hackthebox.com/mzxKOJt
1. Fuzz the target system using directory-list-2.3-medium.txt, looking for a hidden directory. Once you have found the hidden directory, responsibly determine the validity of the vulnerability by analyzing the tar.gz file in the directory. Answer using the full Content-Length header, eg “Content-Length: 1337”
ffuf -u http://<target-ip>:<port>/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -fc 404 -ic-fc 404➡ Filter content with status 404.-ic➡ Ignore any comments in the wordlist.
After you found the ur-hiddenmember directory, then you have to know the content-length header. You can use curl for that:
curl -I http://<target-ip>:<port>/backup.tar.gz-I➡ Prints the headers of the request.
Check the content length header and submit it.
Answer: Content-Length: 210
☣️ HAPPY ETHICAL HACKING ☣️
DISCLAIMER: THIS CONTENT DOES NOT BELONG TO ME, I AM JUST WRITING A WALK-THROUGH OF A FREE MODULE OF HACK THE BOX ACADEMY. (WRITING WALKTHROUGHS OF FREE MODULES IS PERMITTED BY HTB ACADEMY)
