Room Link: https://tryhackme.com/r/room/ffuf
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
HackiFy to install those tools. Repo: https://github.com/ZishanAdThandar/HackiFy
AttackBox.Start the Machine.ffuf -u http://MACHINE_IP/NORAJ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt:NORAJ, just replaced seclists location with /opt/wordlist/SecLists/ as HackiFy install it inside /opt/wordlist directory.What is the first file you found with a 200 status code? Answer favicon.ico
ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt we can get some output.What text file did you find? Answer robots.txtffuf -u http://MACHINE_IP/indexFUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/web-extensions.txt , we can get output.What two file extensions were found for the index page? Answer php,phpsffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt and observe the output.What page has a size of 4840? Answer about.phpffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt. We will get some directories.How many directories are there? Answer 4
After applying the fc filter, how many results were returned? Answer 11. Got by observing output of command ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403.After applying the mc filter, how many results were returned? Answer 6 . Got by observing output of command ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200Which valuable file would have been hidden if you used -fc 403 instead of -fr? Answer wp-forum.phps. Got by observing output difference between -fc 403 command and command ffuf -u http://MACHINE_IP/FUZZ -w /opt/wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'
Start Machine. Also read this section.What is the parameter you found? Answer id. Got it from output of ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?FUZZ=1' -c -w /opt/wordlist/SecLists/Discovery/Web-Content/burp-parameter-names.txt -fw 39.What is the highest valid id? Answer 14. Got it by running, for i in {0..255}; do echo $i; done | ffuf -u 'http://MACHINE_IP/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33.What is Dummy's password? Answer p@ssword. Got it with command ffuf -u http://MACHINE_IP/sqli-labs/Less-11/ -c -w /opt/wordlist/SecLists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded' .
Complete.
Complete.
ffuf -h.How do you save the output to a markdown file (ffuf.md)? Answer -of md -o ffuf.mdHow do you re-use a raw http request file? Answer -requestHow do you strip comments from a wordlist? Answer -icHow would you read a wordlist from STDIN? Answer -w -How do you print full URLs and redirect locations? Answer -vWhat option would you use to follow redirects? Answer -rHow do you enable colorized output? Answer -c
Complete and done.Author: Zishan Ahamed Thandar