Scribd
Upload
104 views22 pages

Attackingwebapp Ffuf

Uploaded by

kjustus901
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
104 views22 pages

Attackingwebapp Ffuf

Uploaded by

kjustus901
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

JUSTUS KOECH_CS-SA07-24044

ASSIGNMENT: Attacking Web Applications with Ffuf

Overview

Ffuf is a powerful and fast web fuzzer written in Go. It allows security researchers and
penetration testers to discover hidden files, directories, and other web application vulnerabilities
by performing recursive and brute-force searches. Ffuf is known for its speed and flexibility,
making it an excellent tool for CTF challenges.

Step 1: Discovering Hidden Directories

To begin the challenge, we execute Ffuf with a wordlist containing common directory names and
the target URL ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt:FUZZ -u
http://83.136.249.227:50308/FUZZ

. The command looks like this:


Based on the output, Ffuf discovers the following directories:

● /blog (Status: 301, Size: 322)


● /forum (Status: 301, Size: 323)

The directory we need to find in this step is /forum.

Step 2: Fuzzing the ‘/blog’ Directory

In the second step, we need to fuzz the /blog directory and find all the pages within it. One of
these pages is expected to contain a flag. We use Ffuf again to perform the fuzzing operation
with the wordlist and target URL http://83.136.249.227:50308/

After the fuzzing process, Ffuf discovers the following page:

● /blog/home.php (Status: 200, Size: 1046, Words: 438, Lines: 58)


To find the flag, we navigate to the discovered page:
http://83.136.250.34:53339/blog/home.php. The flag is revealed on this page:

Flag: HTB{bru73_f0r_c0mm0n_p455w0rd5}

Step 3: Finding More Files/Directories

In the third step, we continue the search for additional files and directories. One of these
resources should provide us with another flag. We need to apply the knowledge gained so far and
repeat the process.

After exploring further, we find the following URL containing the second
flag:http://83.136.249.227:50308/forum/flag.php
Flag: HTB{fuzz1n6_7h3_w3b!}
Step 4: Discovering the Swag Shop Sub-Domain

In the final step, we perform a sub-domain fuzzing test on hackthebox.eu to discover the online
Swag Shop of HackTheBox. We use Ffuf with a wordlist of subdomains and the target URL ffuf
-w Downloads/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/
-c -ic -t 200

The command is as follows:


. After scanning, Ffuf discovers the following sub-domain:
Step 5: VHost Fuzzing

The first challenge requires us to perform a VHost fuzzing scan on the domain ‘academy.htb’
and identify any additional VHosts. To accomplish this, we use the ffuf tool with the following
command:
Step 6: Parameter Fuzzing

In the second challenge, we need to run a parameter fuzzing scan on a specific webpage and
determine the accepted parameter. Using the ffuf tool, we execute the following command:

ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u
http://admin.academy.htb:34138/admin/admin.php?FUZZ=key -fs 798
userff

The scan output indicates that the parameter ‘key’ is accepted by the webpage.
Step 7: Wordlist Creation and POST Request

For the third challenge, we have to create a wordlist called ‘ids.txt,’ identify the accepted value
through a fuzzing scan, and use it in a ‘POST’ request with ‘curl’ to retrieve the flag. Let’s
follow these steps:

1. Create the wordlist ‘ids.txt’ with the desired values.

2. Perform a fuzzing scan using ffuf to identify the accepted value for the 'id' parameter:
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:40208/admin/admin.php -X POST -d
'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'
The response contains the flag: HTB{p4r4m373r_fuzz1n6_15_k3y!}.

Skills Assessment — Web Fuzzing

Step 1: Sub-Domain/VHost and Extension Fuzzing


In the fourth challenge, we are tasked with running a sub-domain/VHost fuzzing scan on
‘.academy.htb’ and identifying all the sub-domains. We employ ffuf once again:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u
http://academy.htb:52020/ -H 'Host: FUZZ.academy.htb' -ms 0
The scan output reveals three sub-domains: ‘test.academy.htb,’ ‘archive.academy.htb,’ and
‘faculty.academy.htb.’

2. Before running the page fuzzing scan, it’s recommended to perform an extension fuzzing
scan. The goal is to identify the different extensions accepted by the domains. We can
accomplish this with the following command:
ffuf -w /Downloads/web-extensions.txt:FUZZ -u http://94.237.55.114:47287/indexFUZZ

3. One of the pages you will identify should say ‘You don’t have access!’. What is the full
page URL?
ffuf -w Downloads/directory-list-2.3-small.txt:FUZZ -u
<http://faculty.academy.htb:47287/FUZZ> -recursion -recursion-depth 1 -e .php -v -t 80
index.hph7
courses
linux-security.php7

ttp://faculty.academy.htb:52050/courses/linux-security.php7

Challenge 5: Parameter Identification and Fuzzing


In the fifth challenge, we need to identify the parameters accepted by a specific page obtained in
the previous step. We run the following command to achieve this:

ffuf -w Downloads/burp-parameter-names.txt:FUZZ -u
http://faculty.academy.htb:56050/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H
'Content-Type: application/x-www-form-urlencoded' -fs 774

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u
http://faculty.academy.htb:30796/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H
'Content-Type: application/x-www-form-urlencoded' -fs 774

The scan output reveals two parameters: ‘user’ and ‘username.’


4.Next, we are required to fuzz the identified parameters with working values to retrieve
the flag. We can accomplish this using the following command:

ffuf -w Downloads xato-net-10-million-usernames.txt:FUZZ -u


http://faculty.academy.htb:56050/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H
'Content-Type: application/x-www-form-urlencoded'

ffuf -wDownloads/xato-net-10-million-usernames.txt:FUZZ -u
http://faculty.academy.htb:56050/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H
'Content-Type: application/x-www-form-urlencoded' -fs 781
The response contains the flag: HTB{w3b_fuzz1n6_m4573r}.

Shareable link: https://academy.hackthebox.com/achievement/327320/54

Conclusion

In this article, we explored the process of solving various web fuzzing challenges encountered in
a CTF competition. We learned how to perform VHost fuzzing, parameter fuzzing, wordlist
creation, and fuzzing scans for sub-domains, extensions, and parameters. By following these
steps and leveraging the ffuf tool, we successfully obtained the desired flags. Web fuzzing is a
crucial skill in the field of cybersecurity, allowing us to discover vulnerabilities and potential
attack vectors.

You might also like