FFUF (Attacking web application with FUFF) — Academy Hackthebox

This post is my first walktrough documenting Hackthebox module, please be indulgent.

What is FUFF ?

In the cyber security world “FUZZING” reffer as “ an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program.”

It can be used for different scenario, for this module we will focus on $URL

FUFF or Fuzz Faster U Fool, when given a $URL and $DICTIONARY, the a tool written in GO, will randomly append words from the dictionary. Why is this helpful ?

Well, let’s say you have an $URL:

https//cwkv_hawk.com = $URL

But this is the only information given by the compagny for you to perform a penetration test. While this could be enough to reveal critical exploits on the main url, in most cases you will be forced to work around the main entrance.

This is where fuzzing enter the chat, giving a $DICTIONNARY (From Github or custom created). Our Tool will try $URL+$DICTIONNARY, in order to generate, working url from this domain without knowning them.

Let’s FUZZ the box

Now, let’s switch from theory to practice, to really understand what your tool really do, let’s start hacking your box.

1 — Directory Fuzzing

Looking at the documentation provided by Hackthebox, it looks like, they want us to perform a Directory Fuzzing, so let’s open the terminal.

First open the generated $IP in your browser, nothing here, looks empty. This is why, this page is very unlikely to be the source of any exploits, let’s try to dig deeper. (make sure to load the page from your browser, in order to map the server DNS on your machine)

As mentioned before, when fuzzing we need to provide at least two input, first the url to fuzz & a dictionary list containing random or common directory list.

I this case, I will use the same list as Hackthebox used, which is Seclist directory-list-2.3-small.txt, if you don’t know where to find it, here is my little trick.

Once you have both, now let’s decide which part of the url we are FUZZING. In this case we are looking for $DIRECTORY, this means we are searching to know directories that exist on our domain.

$URL/$DIRECTORY/

Simple, after our $IP and the $PORT we will tell our tool, this is the place where random words from the list should be placed. Then hit enter, this process could take a while, this really depends on your internet connexion and computer computing power. If you don’t really know what you are doing, don’t try increasing the threats, as this could results in a DDOS attack.

Target spotted! Ready to engage

2 — Page Fuzzing

We have our directory, next step is to understand in which language files in our new directory are written in (php, html, aspx, js), this could be helpful for couples of reasons :

1- Reduce FUZZING time by specifying the extension we are looking for,

2 Based on the files found in that directory, we will craft the best exploit strategy.

This is simple, we have two target, and we know how to tell our tool how to FUZZ for a specific input. The only thing we would change this time is our DICTIONNARY, because we are not fuzzing for directories anymore !

Let’s us try with the blog directory and we will be looking for a file called “index” present in most directory since it is the skeleton of a webpage.

Map the DNS if you are using a new box, Press enter, Target Hit !

Now that we have, the extension, let us append it directly in the url or by using it’s options -e .php

let’s try to run a directory scan, inside our blog directory, once again change the wordlist, and FUZZ for random file with php extension.

Once again, it’s an Ace, we got our hits, now if we visit

• $IP:$PORT/blog/index.php = nothing
• $IP:$PORT/blog/home.php = we have our flag

3 — Recursive Fuzzing

This is really a helpful options, in the previous steps, did you noticed how we switched back and forth between directory fuzzing and extensions ?

Now imagine if there where, 30 or more directories for a given url, this would take a while. This is where recursive fuzzing enter the chat.

This options, enable us to tell FFUF : If you find any directory please enter the directory and look for it’s content. This is customisable, as we can determine how many folders the tool will open during the operation.

For exemple if we start on the domain and fussing for any directory in $URL/FUZZ and set our recursion to open every folder found within 2 directories after the starting points, this will results in for exemple $URL/FUZZ/HIGH-HIGH/MOVIES if there is any directories after MOVIES, the tool will not open it.

Here is how we enable it

Where :

• -recursion = enable recursive fuzzing
• -recursion-depth $N = determine the number of directory to open within each directories
• -e $E = Select a specified extension indentified previously

When fuzzing for directory with recursive fuzzing enable, make sure to use the options -e $ in order to specify for extension

If you found this guide helpfull in anyway and want the second part of the box, please hit the thumbs up !

Follow me for more.