Ffuf Web Fuzzing - JA Smith

# Sub-domain / Vhost Fuzzing - First, update `/etc/hosts` ![[images/Pasted image 20251116193013.png]] - Sub-domain fuzzing #1 ![[images/Pasted image 20251116193431.png]] - Sub-domain fuzzing #2 with expanded wordlist ![[images/Pasted image 20251116194052.png]] - Vhost fuzzing - Whoa; too many results ![[images/Pasted image 20251116193706.png]] - Filter on size `-fs 985` ![[images/Pasted image 20251116194255.png]] - Update `/etc/hosts` ![[images/Pasted image 20251116194447.png]] # Extension Fuzzing - `admin` sub-domain ![[images/Pasted image 20251116195119.png]] - `test` sub-domain ![[images/Pasted image 20251116195151.png]] - `faculty` sub-domain ![[images/Pasted image 20251116195219.png]] - `archive` sub-domain ![[images/Pasted image 20251116195225.png]] # Page Fuzzing - `admin` sub-domain ![[images/Pasted image 20251116195720.png]] - `admin.academy.htb:33730/index.php` ![[images/Pasted image 20251116195515.png]] - - `test` sub-domain ![[images/Pasted image 20251116200029.png]] - `admin.academy.htb:33730/index.php` - blank page ![[images/Pasted image 20251116195751.png]] - `faculty` sub-domain with `.php` extension![[images/Pasted image 20251116200358.png]] - `faculty.academy.htb:33730/index.php` - blank page ![[images/Pasted image 20251116200133.png]] - `faculty` sub-domain with `.php7` extension - `faculty.academy.htb:33730/index.php7` - blank page ![[images/Pasted image 20251116200821.png]] - `archive` sub-domain ![[images/Pasted image 20251116200729.png]] - `archive.academy.htb:33730/index.php` - blank page ![[images/Pasted image 20251116200601.png]] - fuzz `archive.academy.htb:PORT/index.php` with `-recursion-depth 1` or just add FUZZ one level deeper ![[images/Pasted image 20251116201556.png]]![[images/Pasted image 20251116201610.png]] - fuzz `faculty.academy.htb:PORT/index.php` with `-recursion-depth 1` or just add FUZZ one level deeper ![[images/Pasted image 20251116202015.png]]![[images/Pasted image 20251116201657.png]] - fuzz `faculty.academy.htb:PORT/index.php7` with `-recursion-depth 1` or just add FUZZ one level deeper ![[images/Pasted image 20251116202345.png]] - fuzz `test.academy.htb:PORT/index.php` with `-recursion-depth 1` or just add FUZZ one level deeper - This is a slog - This waiting really sucks; maybe a bare-metal Kali setup would be faster, tbh![[images/Pasted image 20251116203114.png]] - fuzz `admin.academy.htb:PORT/index.php` with `-recursion-depth 1` or just add FUZZ one level deeper ![[images/Pasted image 20251116203530.png]] - fuzz `faculty.acadmy.htb:3370/FUZZ` with `-recursion -recursion-depth 1 -e .php, .phps, .php7 -mr "You don't have access" -t 100`![[images/Pasted image 20251116204222.png]] - use a regex pattern match; search across multiple extensions and use more threads - visit `faculty.academy.htb:33730/courses/linux-security.php7` ![[images/Pasted image 20251116204158.png]] # Parameter Fuzzing - Fuzz for GET parameters using previous page found followed by `?FUZZ=key` ![[images/Pasted image 20251116204511.png]] ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:33730/courses/linux-security.php7?FUZZ=key -c -ic -fs 774 ``` - Fuzz for POST parameters ![[images/Pasted image 20251116205156.png]] ```bash ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://faculty.academy.htb:33730/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -c -ic -fs 774 ``` # Find Value for Parameter for Flag - Employ `/usr/share/seclists/Usernames/top-usernames-shortlist.txt` with `user=FUZZ` - Nothing ![[images/Pasted image 20251116205251.png]] - Employ `/usr/share/seclists/Usernames/top-usernames-shortlist.txt` with `username=FUZZ` - All the same size = not good ![[images/Pasted image 20251116205355.png]] - Employ `/usr/share/seclists/Usernames/Names/names.txt` with `user=FUZZ` ![[images/Pasted image 20251116205559.png]] - Employ `/usr/share/seclists/Usernames/Names/names.txt` with `username=FUZZ` - We're getting somewhere! ![[images/Pasted image 20251116205631.png]] - `curl` the flag ![[images/Pasted image 20251116205810.png]] ```bash curl http://faculty.academy.htb:33730/courses/linux-security.php7 -X POST -d 'username=harry' -H 'Content-Type: application/x-www-form-urlencoded' ```