Skills Assessment - Web Fuzzing
Description:
To complete this Skills Assessment, you will need to apply the multitude of tools and techniques showcased throughout this module. All fuzzing can be completed using the common.txt SecLists Wordlist, found at /usr/share/seclists/Discovery/Web-Content.
TARGET: 94.237.55.38:53269
Challenge 1
After completing all steps in the assessment, you will be presented with a page that contains a flag in the format of HTB{...}. What is that flag?
Fuzzing directories/files
Start with a recursive directory fuzz using ffuf with the following command:
┌──(macc㉿kaliLab)-[~/htb]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -ic -v -u http://94.237.55.38:53269/FUZZ -e .html -recursion
Output:
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://94.237.55.38:53269/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 76ms]
| URL | http://94.237.55.38:53269/.hta
* FUZZ: .hta
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/.htaccess
* FUZZ: .htaccess
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/.hta.html
* FUZZ: .hta.html
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/.htpasswd
* FUZZ: .htpasswd
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/.htaccess.html
* FUZZ: .htaccess.html
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/.htpasswd.html
* FUZZ: .htpasswd.html
[Status: 301, Size: 321, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin
| --> | http://94.237.55.38:53269/admin/
* FUZZ: admin
[INFO] Adding a new job to the queue: http://94.237.55.38:53269/admin/FUZZ
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/server-status
* FUZZ: server-status
[INFO] Starting queued job on target: http://94.237.55.38:53269/admin/FUZZ
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 76ms]
| URL | http://94.237.55.38:53269/admin/.htpasswd.html
* FUZZ: .htpasswd.html
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/.htpasswd
* FUZZ: .htpasswd
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/.hta
* FUZZ: .hta
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/.htaccess
* FUZZ: .htaccess
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/.htaccess.html
* FUZZ: .htaccess.html
[Status: 403, Size: 280, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/.hta.html
* FUZZ: .hta.html
[Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/index.php
* FUZZ: index.php
:: Progress: [9446/9446] :: Job [2/2] :: 518 req/sec :: Duration: [0:00:18] :: Errors: 0 ::
- We have found an
/admindirectory with many hidden files.
Notice that if we try to directly curl for example /admin/index.php we get:
┌──(myenv)─(macc㉿kaliLab)-[~/htb/web_fuzz/webfuzz_api]
└─$ curl http://94.237.55.38:53269/admin/index.php
Access Denied
- Since there not much we can do as of now for an 'Access Denied' response, lets change try something else.
Now, just to be sure, run a second ffuf to look under the /admin directory but now using the -e .php extension, we are looking for .php files that may look interesting:
┌──(macc㉿kaliLab)-[~/htb]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -ic -v -u http://94.237.55.38:53269/FUZZ -e .php
- No need for recursion, since we already now the server only has the
/admindirectory
Output:
[Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/index.php
* FUZZ: index.php
[Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/index.php
* FUZZ: index.php
[Status: 200, Size: 58, Words: 8, Lines: 1, Duration: 77ms]
| URL | http://94.237.55.38:53269/admin/panel.php
* FUZZ: panel.php
:: Progress: [9446/9446] :: Job [1/1] :: 518 req/sec :: Duration: [0:00:21] :: Errors: 0 ::
- These are the 200 responses that we get from the above fuzz.
- We already tried with
index.php, so our target must now bepanel.php
Fuzzing the parameter
Lets try to curl the newly found panel.php file:
┌──(macc㉿kaliLab)-[~/htb]
└─$ curl http://94.237.55.38:53269/admin/panel.php
Invalid parameter, please ensure accessID is set correctly
- This is our entry point! now we have a parameter to fuzz:
accessID
Lets try a simple parameter fuzz for accessID using ffuf with the common.txt wordlist
┌──(macc㉿kaliLab)-[~/htb]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -ic -u http://94.237.55.38:53269/admin/panel.php?accessID=FUZZ -fs 58
- Note the
-icflag stands for "Ignore Case": Makes the matching case-insensitive when comparing words, lines, or regex patterns in response filters and matchers.- Example: If your match pattern is “admin”, it will also match “Admin”, “ADMIN”, etc.
- Without
-ic, matches are case-sensitive — so “admin” ≠ “Admin”.
-fsrefers to "Filter by Size": Filters out results based on response size (in bytes).- Used it here to distinguish a valid content response size that is not the usual "Invalid parameter" message size.
Output
getaccess [Status: 200, Size: 68, Words: 12, Lines: 1, Duration: 77ms]
:: Progress: [4723/4723] :: Job [1/1] :: 520 req/sec :: Duration: [0:00:12] :: Errors: 0 ::
- We have got our parameter value:
accessID=getaccess
Vhost fuzzing
Lets try to curl now with the known parameter value:
┌──(macc㉿kaliLab)-[~/htb]
└─$ curl http://94.237.55.38:53269/admin/panel.php?accessID=getaccess
Output:
Head on over to the fuzzing_fun.htb vhost for some more fuzzing fun!
- Instruction given: "Head on over to the fuzzing_fun.htb vhost for some more fuzzing fun!"
The first step when encountering a new vhost is to add the IP and the name of the vhost to our /etc/hosts file so that we can work with it
┌──(macc㉿kaliLab)-[~/htb]
└─$ sudo echo "94.237.55.38:53269 fuzzing_fun.htb" | sudo tee -a /etc/hosts
Lets confirm with a curl to the vhost:
┌──(macc㉿kaliLab)-[~/htb]
└─$ curl fuzzing_fun.htb:53269
Output:
Welcome to fuzzing_fun.htb!
Your next starting point is in the godeep folder - but it might be on this vhost, it might not, who knows...
- This gives us a hint about our next steps, we need to fuzz vhosts to find the one that has the
godeepfolder
Try using gobuster to fuzz possible vhosts:
┌──(macc㉿kaliLab)-[~/htb]
└─$ gobuster vhost -u http://fuzzing_fun.htb:53269 -w ~/SecLists/Discovery/Web-Content/common.txt --append-domain
Output:
hidden.fuzzing_fun.htb:53269 Status: 200 [Size: 45]
- This is the only vhost name that returns a 200 response, this must be it!
Add the discovered vhost to your /etc/hosts
┌──(macc㉿kaliLab)-[~/htb]
└─$ sudo echo "94.237.55.38:53269 hidden.fuzzing_fun.htb" | sudo tee -a /etc/hosts
Fuzzing directories/files (again)
Now, knowing the vhost that probably contains the godeep folder lets try connecting directly to it really quick:
┌──(macc㉿kaliLab)-[~/htb]
└─$ curl hidden.fuzzing_fun.htb:53269/godeep/
Keep going...
- It tells us to keep going!
- This might mean that we need to go deeper to a folder or a file under this folder, lets fuzz this path!
Try using ffuf to fuzz directories or files under godeep/
┌──(macc㉿kaliLab)-[~/htb]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -u hidden.fuzzing_fun.htb:53269/godeep/FUZZ
Output:
.htaccess [Status: 403, Size: 290, Words: 20, Lines: 10, Duration: 3868ms]
.hta [Status: 403, Size: 290, Words: 20, Lines: 10, Duration: 4872ms]
.htpasswd [Status: 403, Size: 290, Words: 20, Lines: 10, Duration: 4872ms]
index.php [Status: 200, Size: 13, Words: 2, Lines: 1, Duration: 77ms]
stoneedge [Status: 301, Size: 352, Words: 20, Lines: 10, Duration: 77ms]
- That
stoneedgedirectory looks interesting
Lets now try to curl to it
┌──(macc㉿kaliLab)-[~/htb]
└─$ curl hidden.fuzzing_fun.htb:53269/godeep/stoneedge/
Almost there...
Lets continue going by looking more inside /stoneedge fuzzing for files now, this time I enabled recursion just in case there are still deeper directories
┌──(macc㉿kaliLab)-[~/htb]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt -ic -v -u http://hidden.fuzzing_fun.htb:53269/godeep/stoneedge/FUZZ -e .html -recursion
Output:
...
[Status: 301, Size: 360, Words: 20, Lines: 10, Duration: 78ms]
| URL | http://hidden.fuzzing_fun.htb:53269/godeep/stoneedge/bbclone
| --> | http://hidden.fuzzing_fun.htb:53269/godeep/stoneedge/bbclone/
* FUZZ: bbclone
[INFO] Adding a new job to the queue: http://hidden.fuzzing_fun.htb:51374/godeep/stoneedge/bbclone/FUZZ
...
[Status: 301, Size: 366, Words: 20, Lines: 10, Duration: 77ms]
| URL | http://hidden.fuzzing_fun.htb:53269/godeep/stoneedge/bbclone/typo3
| --> | http://hidden.fuzzing_fun.htb:53269/godeep/stoneedge/bbclone/typo3/
* FUZZ: typo3
[INFO] Adding a new job to the queue: http://hidden.fuzzing_fun.htb:51374/godeep/stoneedge/bbclone/typo3/FUZZ
...
[Status: 200, Size: 23, Words: 1, Lines: 1, Duration: 77ms]
| URL | http://hidden.fuzzing_fun.htb:53269/godeep/stoneedge/bbclone/typo3/index.php
* FUZZ: index.php
- Too deeper directories are present
- Many hidden files (starting with
.) - The only file we found that is not hidden is
index.phpunder thetypo3/directory
Lets try to run the index.php script using curl:
┌──(macc㉿kaliLab)-[~/htb]
└─$ curl hidden.fuzzing_fun.htb:51374/godeep/stoneedge/bbclone/typo3/index.php
HTB{w3b_fuzz1ng_sk1lls}
- There we go!
flag: HTB