Skills Assessment - Web Fuzzing

You are given an online academy's IP address but have no further information about their website. As the first step of conducting a Penetration Test, you are expected to locate all pages and domains linked to their IP to enumerate the IP and domains properly.

Finally, you should do some fuzzing on pages you identify to see if any of them has any parameters that can be interacted with. If you do find active parameters, see if you can retrieve any data from them.

Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)

╭─ /home/h4shdumb ······················································································································ ✔ │ root@kali │ 12:19:10 ─╮
╰─ ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:54501 -H 'Host: FUZZ.academy.htb' -fs 985         ─╯

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://academy.htb:54501
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.academy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 985
________________________________________________

xxxxxxx                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 15ms]
xxxxxxx                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 16ms]
xxxx                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3441ms]
:: Progress: [4989/4989] :: Job [1/1] :: 2325 req/sec :: Duration: [0:00:05] :: Errors: 0 ::

Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?

Add previous sub-domains on /etc/hosts and enumerate all of them.

╭─ /home/h4shdumb ······················································································································ ✔ │ root@kali │ 12:24:56 ─╮
╰─ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://xxxxxxx.academy.htb:54501/indexFUZZ                                ─╯

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://xxxxxxx.academy.htb:54501/indexFUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.xxxx                   [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 15ms]
.xxx                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3321ms]
:: Progress: [43/43] :: Job [1/1] :: 9 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

╭─ /home/h4shdumb ················································································································· ✔ │ 4s │ root@kali │ 12:25:17 ─╮
╰─ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://xxxxxxx.academy.htb:54501/indexFUZZ                                ─╯

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://xxxxxxx.academy.htb:54501/indexFUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.xxxx                   [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 15ms]
.xxx                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2089ms]
.xxxx                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4097ms]
:: Progress: [43/43] :: Job [1/1] :: 10 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

╭─ /home/h4shdumb ················································································································· ✔ │ 4s │ root@kali │ 12:26:11 ─╮
╰─ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://xxxx.academy.htb:54501/indexFUZZ                                   ─╯

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://xxxx.academy.htb:54501/indexFUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.xxxx                   [Status: 403, Size: 284, Words: 20, Lines: 10, Duration: 17ms]
.xxx                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 252ms]
:: Progress: [43/43] :: Job [1/1] :: 19 req/sec :: Duration: [0:00:02] :: Errors: 0 ::

One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

╭─ /home/h4shdumb ·················································································································································································· ✔ │ 5s │ root@kali │ 12:47:24 ─╮
╰─ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://xxxxxxx.academy.htb:54501/FUZZ -recursion -recursion-depth 1 -e .xxx,.xxxx,.xxxx-fc 403 -fs 0 -v                         ─╯

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://xxxxxxx.academy.htb:54501/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Extensions       : .xxx .xxxx .xxxx 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 0
 :: Filter           : Response status: 403
________________________________________________

[Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 17ms]
| URL | http://xxxxxxx.academy.htb:54501/xxxxxxx
| --> | http://xxxxxxx.academy.htb:54501/xxxxxxx/
    * FUZZ: xxxxxxx

[INFO] Adding a new job to the queue: http://xxxxxxx.academy.htb:54501/xxxxxxx/FUZZ

[INFO] Starting queued job on target: http://xxxxxxx.academy.htb:54501/xxxxxxx/FUZZ

[Status: 200, Size: 774, Words: 223, Lines: 53, Duration: 18ms]
| URL | http://faculty.academy.htb:54501/xxxxxxx/xxxxx-xxxxxxxx.xxxx
    * FUZZ: xxxxx-xxxxxxxx.xxxx

In your response, replace your port number by "PORT" in the URL.

i.e : http://academy.htb:54501/index.html --> http://academy.htb:PORT/index.html

In the page from the previous question, you should be able to find multiple parameters that are accepted by the page. What are they?

╭─ /home/h4shdumb ················································································································································································ ✔ │ root@kali │ 13:08:44 ─╮
╰─ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://xxxxxxx.academy.htb:54501/xxxxxxx/xxxxx-xxxxxxxx.xxxx -X POST -d 'FUZZ=key' -H  'Content-Type: application/x-www-form-urlencoded' -fs 774

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://xxxxxxx.academy.htb:54501/xxxxxx/xxxxx-xxxxxxxx.xxxx
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : FUZZ=key
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 774
________________________________________________

xxxx                    [Status: 200, Size: 780, Words: 223, Lines: 53, Duration: 16ms]
xxxxxxxx                [Status: 200, Size: 781, Words: 223, Lines: 53, Duration: 16ms]

Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?

╭─ /home/h4shdumb/Bureau/Academy ··································································································································································· ✔ │ 3s │ root@kali │ 13:28:24 ─╮
╰─ ffuf -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt:FUZZ -u http://xxxxxxx.academy.htb:54501/xxxxxxx/xxxxx-xxxxxxxx.xxxx-X POST -d 'xxxxxxxx=FUZZ' -H  'Content-Type: application/x-www-form-urlencoded' -fs 781

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : POST
 :: URL              : http://xxxxxxx.academy.htb:54501/xxxxxxx/xxxxx-xxxxxxxx.xxxx
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt
 :: Header           : Content-Type: application/x-www-form-urlencoded
 :: Data             : xxxxxxxx=FUZZ
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 781
________________________________________________

hxxxx                   [Status: 200, Size: 773, Words: 218, Lines: 53, Duration: 16ms]
Hxxxx                   [Status: 200, Size: 773, Words: 218, Lines: 53, Duration: 16ms]
Hxxxx                   [Status: 200, Size: 773, Words: 218, Lines: 53, Duration: 17ms]

╭─ /home/h4shdumb ··········· ✔ │ root@kali │ 13:24:49 ─╮
╰─ curl http://xxxxxxx.academy.htb:54501/xxxxxxx/xxxxx-xxxxxxxx.xxxx -X POST -d 'xxxxxxxx=hxxxx' -H 'Content-Type: application/x-www-form-urlencoded'
<div class='center'><p>HTB{xxx_xxxxxxx_xxxxxx}</p></div>
<html>
<!DOCTYPE html>

<head>
  <title>HTB Academy</title>
  <style>
    *,
    html {
      margin: 0;
      padding: 0;
      border: 0;
    }

    html {
      width: 100%;
      height: 100%;
    }

    body {
      width: 100%;
      height: 100%;
      position: relative;
      background-color: #151D2B;
    }

    .center {
      width: 100%;
      height: 50%;
      margin: 0;
      position: absolute;
      top: 50%;
      left: 50%;
      transform: translate(-50%, -50%);
      color: white;
      font-family: "Helvetica", Helvetica, sans-serif;
      text-align: center;
    }

    h1 {
      font-size: 144px;
    }

    p {
      font-size: 64px;
    }
  </style>
</head>

<body>
</body>

</html>

PreviousValue Fuzzing NextIntroduction

Last updated 2 months ago

╭─ /home/h4shdumb ·················································································································································································· ✔ │ 5s │ root@kali │ 12:47:24 ─╮ ╰─ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://xxxxxxx.academy.htb:54501/FUZZ -recursion -recursion-depth 1 -e .xxx,.xxxx,.xxxx-fc 403 -fs 0 -v ─╯ /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://xxxxxxx.academy.htb:54501/FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt :: Extensions : .xxx .xxxx .xxxx :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response size: 0 :: Filter : Response status: 403 ________________________________________________ [Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 17ms] | URL | http://xxxxxxx.academy.htb:54501/xxxxxxx | --> | http://xxxxxxx.academy.htb:54501/xxxxxxx/ * FUZZ: xxxxxxx [INFO] Adding a new job to the queue: http://xxxxxxx.academy.htb:54501/xxxxxxx/FUZZ [INFO] Starting queued job on target: http://xxxxxxx.academy.htb:54501/xxxxxxx/FUZZ [Status: 200, Size: 774, Words: 223, Lines: 53, Duration: 18ms] | URL | http://faculty.academy.htb:54501/xxxxxxx/xxxxx-xxxxxxxx.xxxx * FUZZ: xxxxx-xxxxxxxx.xxxx