Skill Assessment
Question 1
Run a sub-domain/vhost fuzzing scan on ‘*.academy.htb’ for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)
First started from subdomain fuzzing:
ffuf -u http://FUZZ.academy.htb:38239 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
This gave me an error so I suspected *.academy.htb isn’t in the public DNS and added it to the host file:
echo "94.237.62.184 academy.htb" | sudo tee -a /etc/hosts
You can use this too:
sudo sh -c "echo '94.237.62.184 academy.htb' >> /etc/hosts"
But I found using tee -a is cleaner.
Tried vhost fuzzing:
ffuf -u http://academy.htb:38239 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H 'Host: FUZZ.academy.htb' -fs 985
The output:
test [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 26ms]
archive [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 23ms]
faculty [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 25ms]
Question 2
Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?
First added newly found subdomains:
echo "94.237.62.184 test.academy.htb archive.academy.htb faculty.academy.htb" | sudo tee -a /etc/hosts
Extension fuzz:
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -u http://test.academy.htb:38239/indexFUZZ
Output:
.phps [Status: 403, Size: 284, Words: 20, Lines: 10, Duration: 3990ms]
.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3991ms]
Did the same for archive and faculty. archive’s result was the same as test but faculty gave:
.phps [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 1373ms]
.php7 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2192ms]
.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 2191ms]
Question 3
One of the pages you will identify should say ‘You don’t have access!’. What is the full page URL?
Directory fuzzing with -mr regex pattern match:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://test.academy.htb:38239/FUZZ -mr "You don't have access\!" -recursion -recursion-depth 1 -e .php,.phps,.php7 -t 60
This gave me nothing.
Tried it with faculty and found courses directory. Under the directory:
linux-security.php7 [Status: 200, Size: 774, Words: 223, Lines: 53, Duration: 23ms]
For the answer, you have to change the port number to literal PORT.
Question 4
In the page from the previous question, you should be able to find multiple parameters that are accepted by the page. What are they?
Parameter fuzzing:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u http://faculty.academy.htb:38239/courses/linux-security.php7?FUZZ=key -ac
Found user. Since this answer wasn’t enough, I proceeded with POST parameter fuzzing:
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:38239/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -ac
Found username.
Question 5
Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?
Parameter fuzz:
ffuf -w /usr/share/seclists/Usernames/Names/names.txt -u http://faculty.academy.htb:38239/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -ac
Output:
harry [Status: 200, Size: 773, Words: 218, Lines: 53, Duration: 24ms]
curl:
curl -X POST -d "username=harry" http://faculty.academy.htb:38239/courses/linux-security.php7
and got the flag.