3D games will help you experience total immersion in the world of computer games of different genres. 3D graphics makes games more realistic and exciting. Immerse yourself in the amazing worlds with incredible graphics with our 3D games. Download free 3D games and enjoy our games without restrictions! Download and play full version 3D games for free!
This report summarizes the methodology and findings for the Hack The Box (HTB) Academy - Web Fuzzing Skills Assessment. The assessment focuses on using ffuf (Fuzz Faster U Fool) to systematically discover hidden resources, virtual hosts, and parameters to uncover security vulnerabilities. 1. Executive Summary
The objective of this assessment was to perform a comprehensive security analysis of a target web application using automated fuzzing techniques. By moving through progressive layers of discovery—from subdomains to specific parameter values—multiple hidden endpoints were identified, eventually leading to the final flag. 2. Methodology & Tooling
The primary tool used was ffuf, supported by wordlists from the SecLists collection, specifically directory-list-2.3-small.txt, common.txt, and subdomains-top1million-5000.txt. Key ffuf Flags Reconnaissance VHost & Subdomain Fuzzing -H 'Host: FUZZ.domain.htb', -ms 0 Enumeration Directory & File Fuzzing -u http://target/FUZZ, -e .php,.txt Expansion Recursive Fuzzing -recursion, -recursion-depth 1 Exploitation Parameter & Value Fuzzing -X POST, -d 'param=FUZZ', -fs 3. Assessment Workflow & Findings Step 1: Virtual Host (VHost) Discovery
Initial testing on the base IP often returns restricted access (e.g., 403 Forbidden). VHost fuzzing was conducted to identify hidden sub-sites.
Command: ffuf -w subdomains-wordlist.txt -u http://TARGET_IP/ -H 'Host: FUZZ.academy.htb' -ms 0
Findings: Identified subdomains such as archive.academy.htb, faculty.academy.htb, and test.academy.htb. Step 2: Extension & Directory Enumeration
Before searching for pages, an extension scan determined which file types the server processes.
Key Discovery: Extensions like .php and .phps were found to be active. htb skills assessment - web fuzzing
Recursive Fuzzing: Using -recursion uncovered a multi-level directory structure, including /courses/linux-security.php7. Step 3: Parameter Fuzzing
On the identified admin or panel pages, fuzzing was used to find hidden GET/POST parameters. Command: ffuf -w wordlist.txt -u http://academy.htb -fs 798
Findings: Discovered the accepted parameter id and accessID. Step 4: Value Fuzzing & Flag Retrieval
The final step involved brute-forcing the specific values for identified parameters (e.g., finding the correct id number).
Action: Sent a POST request with the discovered value to retrieve the flag. Flag Format: HTB.... 4. Remediation Recommendations
To mitigate the risks identified during this assessment, the following security controls should be implemented:
Once you identify an interesting directory (let's assume /admin), you might find that accessing it directly yields a 403 Forbidden or simply a blank page. You need to find specific files inside that directory. This report summarizes the methodology and findings for
Scenario: Determine what file extensions are served in the /admin directory.
Command:
We use two fuzzing positions here: the filename (FUZZ) and the extension (EXT).
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt -u http://<TARGET_IP>/admin/FUZZ -e .php,.html,.txt,.bak
-e: Appends the extensions to the wordlist entries.Alternatively, if you want to strictly fuzz the extension position:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt -u http://<TARGET_IP>/admin/indexFUZZ
Expected Outcome: You should find a valid file, such as admin.php, note.txt, or config.bak.
If the page accepts POST data (common for login forms or API endpoints), you need to send data in the body.
Command:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u http://<TARGET_IP>/admin/admin.php -X POST -d 'FUZZ=test' -H 'Content-Type: application/x-www-form-urlencoded'
-X POST: Specifies the request method.-d: The data body.-H: Header required for POST forms.Expected Outcome: You discover a parameter name (e.g., id, user, file) that changes the behavior of the page. Step 2: File Extension Fuzzing Once you identify
wfuzz -c -z file,/usr/share/wordlists/param.txt -d "FUZZ=test" http://target.com/login.php
Before typing ffuf or gobuster, you must understand why HTB places such heavy emphasis on fuzzing.
Web fuzzing is the art of automated brute-forcing. Instead of guessing passwords, you are guessing:
admin.php, backup.zip, .git/HEAD.?id=1, ?debug=true, ?file=index.admin.internal.htb, dev.target.com.?user_id=1001 -> 1002).In the HTB ecosystem, the "Skills Assessment" is a purposefully vulnerable machine or web application. It combines multiple fuzzing techniques into a single narrative. You cannot pass it by running a single wordlist. You need a fuzzing workflow.
This is where beginners fail the HTB assessment. You found a page like http://target.htb/api.php. It returns a blank page. Now what?
Parameter Fuzzing: You need to guess the HTTP parameter the script expects.
ffuf -u http://target.htb/api.php?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs 0
Flag -fs 0 filters out responses with a content size of 0 bytes (blank pages).
If you find a parameter like debug or file, you can then fuzz its value. For example, ?file=FUZZ to look for Local File Inclusion (LFI).
Virtual Host Fuzzing: The assessment may hide a second application on a different Virtual Host.
ffuf -u http://10.10.10.x/ -H "Host: FUZZ.target.htb" -w subdomains.txt -fs 5000
If you get a different response for admin.target.htb, add it to your /etc/hosts file and browse to it. This new vhost is often the actual target of the assessment.
admin.lifestyle.htb, dev.streaming.htb).
