Skills Assessment - Web Fuzzing

1. Execute uma varredura de difusão de subdomínio/vhost em '*.academy.htb' para o IP mostrado acima. Quais são todos os subdomínios que você pode identificar? (Escreva apenas o nome do subdomínio)

sudo sh -c 'echo " 94.237.52.105 academy.htb " >> /etc/hosts'

$ ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:56405/ -H 'Host: FUZZ.academy.htb' -fs 985

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://academy.htb:56405/
 :: Wordlist         : FUZZ: /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.academy.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 985
________________________________________________

test                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8ms]
archive                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 8ms]
faculty                 [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 6ms]
:: Progress: [4997/4997] :: Job [1/1] :: 645 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

1. Antes de executar a varredura de difusão de página, você deve primeiro executar uma varredura de difusão de extensão. Quais são as diferentes extensões aceitas pelos domínios?

sudo sh -c 'echo " 94.237.52.105  academy.htb test.academy.htb archive.academy.htb faculty.academy.htb" >> /etc/hosts'

 ffuf -w /usr/share/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://faculty.academy.htb:56405/indexFUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0
________________________________________________

 :: Method           : GET
 :: URL              : http://faculty.academy.htb:56405/indexFUZZ
 :: Wordlist         : FUZZ: /usr/share/SecLists/Discovery/Web-Content/web-extensions.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.phps                   [Status: 403, Size: 287, Words: 20, Lines: 10, Duration: 3951ms]
.php7                   [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4959ms]
.php                    [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 4961ms]
:: Progress: [39/39] :: Job [1/1] :: 7 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

1. Uma das páginas que você identificar deverá dizer 'Você não tem acesso!'. Qual é o URL da página completa?

$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:56405/courses/FUZZ.php7

1. Tente confundir os parâmetros que você identificou para valores de trabalho. Um deles deverá retornar uma bandeira. Qual é o conteúdo da bandeira?

$ curl http://faculty.academy.htb:56405/courses/linux-security.php7 -X POST -d 'username=harry' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8'
<div class='center'><p>HTB{w3b_fuzz1n6_m4573r}</p></div>
<html>
<!DOCTYPE html>

<head>
  <title>HTB Academy</title>