Kappa
“Great things are not done by impulse, but by a series of small things brought together.”
Hack The Box
Skills Assessment
To complete this Skills Assessment, you will need to apply the multitude of tools and techniques showcased throughout this module. All fuzzing can be completed using the common.txt SecLists Wordlist, found at /usr/share/seclists/Discovery/Web-Content on Pwnbox, or via the SecLists GitHub.
Directory and File Fuzzing
Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag.
kappa@kappa-Aspire-Z5600:~$ ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.50.242:45270/webfuzzing_hidden_path/FUZZ -ic
:: Progress: [1648/220546] :: Job [1/1] :: 274 req/sec :: Duration: [0:00:06] :::: Progress: [1667/220546] :: Job [1/1] :: 277 req/sec :: Duration: [0:00:06]
flag [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [1688/220546] :: Job [1/1] :: 281 req/sec :: Duration: [0:00:06] :::: Progress: [1693/220546] :: Job [1/1] :: 282 req/sec :: Duration: [0:00:06]
kappa@kappa-Aspire-Z5600:~$ ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/common.txt -u http://94.237.50.242:45270/webfuzzing_hidden_path/flag/FUZZ -ic .html -e .php,.html,.txt,.bak,.js -v
:: Progress: [2219/4735] :: Job [1/1] :: 246 req/sec :: Duration: [0:00:09] :: E:: Progress: [2238/4735] :: Job [1/1] :: 248 req/sec :: Duration: [0:00:09]
index.html [Status: 200, Size: 104, Words: 6, Lines: 2]
:: Progress: [2243/4735] :: Job [1/1] :: 249 req/sec :: Duration: [0:00:09] :: E:: Progress: [2266/4735] :: Job [1/1] :: 251 req/sec :: Duration: [0:00:09]
http://94.237.50.242:45270/webfuzzing_hidden_path/flag/flag.html
- (Note: you must spawn a unique target system!)
- Directory Fuzzing Flag.png
Recursive Fuzzing
Recursively fuzz the "recursive_fuzz" path on the target system (ie http://IP:PORT/recursive_fuzz/) to find the flag.
ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.62.184:59887/recursive_fuzz/FUZZ -ic -recursion
:: Progress: [16475/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:01:06] ::: Progress: [16495/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:01:06] :level1 [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [16501/220546] :: Job [1/1] :: 250 req/sec :: Duration: [0:01:06] :[INFO] Adding a new job to the queue: http://94.237.62.184:59887/recursive_fuzz/
level1/FUZZ
:: Progress: [16520/220546] :: Job [1/2] :: 250 req/sec :: Duration: [0:01:06] ::: Progress: [16549/220546] :: Job [1/2] :: 250 req/sec :: Duration: [0:01:06]
ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.62.184:59887/recursive_fuzz/level1/FUZZ -ic -recursion
:: Progress: [17334/220546] :: Job [1/1] :: 247 req/sec :: Duration: [0:01:10] ::: Progress: [17364/220546] :: Job [1/1] :: 248 req/sec :: Duration: [0:01:10] ::: Progress: [17386/220546] :: Job [1/1] :: 248 req/sec :: Duration: [0:01:10] :level2 [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [17399/220546] :: Job [1/1] :: 248 req/sec :: Duration: [0:01:10] :[INFO] Adding a new job to the queue: http://94.237.62.184:59887/recursive_fuzz/
level1/level2/FUZZ
:: Progress: [17410/220546] :: Job [1/2] :: 248 req/sec :: Duration: [0:01:10] ::: Progress: [17439/220546] :: Job [1/2] :: 249 req/sec :: Duration: [0:01:10] ::: Progress: [17457/220546] :: Job [1/2] :: 249 req/sec :: Duration: [0:01:10]
ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.62.184:59887/recursive_fuzz/level1/level2/FUZZ -ic -recursion
:: Progress: [18220/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:01:13] ::: Progress: [18244/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:01:13] ::: Progress: [18266/220546] :: Job [1/1] :: 250 req/sec :: Duration: [0:01:13] ::: Progress: [18298/220546] :: Job [1/1] :: 250 req/sec :: Duration: [0:01:13] :level3 [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [18309/220546] :: Job [1/1] :: 250 req/sec :: Duration: [0:01:13] :[INFO] Adding a new job to the queue: http://94.237.62.184:59887/recursive_fuzz/
level1/level2/level3/FUZZ
:: Progress: [18316/220546] :: Job [1/2] :: 250 req/sec :: Duration: [0:01:13] ::: Progress: [18343/220546] :: Job [1/2] :: 251 req/sec :: Duration: [0:01:13] ::: Progress: [18374/220546] :: Job [1/2] :: 251 req/sec :: Duration: [0:01:13]
kappa@kappa-Aspire-Z5600:~$ ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.62.184:59887/recursive_fuzz/level1/level2/level3/FUZZ -ic -recursion
:: Progress: [17532/220546] :: Job [1/1] :: 250 req/sec :: Duration: [0:01:10] ::: Progress: [17558/220546] :: Job [1/1] :: 250 req/sec :: Duration: [0:01:10] ::: Progress: [17584/220546] :: Job [1/1] :: 251 req/sec :: Duration: [0:01:10] ::: Progress: [17604/220546] :: Job [1/1] :: 251 req/sec :: Duration: [0:01:10] :threatcon_level2 [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [17619/220546] :: Job [1/1] :: 251 req/sec :: Duration: [0:01:10] :[INFO] Adding a new job to the queue:
http://94.237.62.184:59887/recursive_fuzz/level1/level2/level3/threatcon_level2/FUZZ
:: Progress: [17631/220546] :: Job [1/2] :: 251 req/sec :: Duration: [0:01:10] ::: Progress: [17655/220546] :: Job [1/2] :: 252 req/sec :: Duration: [0:01:10] ::: Progress: [17681/220546] :: Job [1/2] :: 249 req/sec :: Duration: [0:01:11]
http://94.237.62.184:59887/recursive_fuzz/level1/level2/level3/threatcon_level2/
Parameter and Value Fuzzing
What flag do you find when successfully fuzzing the GET parameter?
kappa@kappa-Aspire-Z5600:~$ curl 94.237.50.242:56466
kappa@kappa-Aspire-Z5600:~$ curl 94.237.50.242:56466/get.php?x=
kappa@kappa-Aspire-Z5600:~$ ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/common.txt -u http://94.237.50.242:56466/get.php?x=FUZZ
:: Progress: [280/4735] :: Job [1/1] :: 280 req/sec :: Duration: [0:00:01] :: Er:: Progress: [283/4735] :: Job [1/1] :: 283 req/sec :: Duration: [0:00:01] :: Er:: Progress: [320/4735] :: Job [1/1] :: 320 req/sec :: Duration: [0:00:01]
OA_HTML [Status: 200, Size: 25, Words: 1, Lines: 2]
:: Progress: [346/4735] :: Job [1/1] :: 346 req/sec :: Duration: [0:00:01] :: Er:: Progress: [349/4735] :: Job [1/1] :: 349 req/sec :: Duration: [0:00:01] :: Er:: Progress: [361/4735] :: Job [1/1] :: 361 req/sec :: Duration: [0:00:01]
http://94.237.50.242:56466/get.php?x=OA_HTML
What flag do you find when successfully fuzzing the POST parameter?
kappa@kappa-Aspire-Z5600:~$ ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/common.txt -u http://94.237.50.242:56466/post.php? -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "y=FUZZ"
:: Progress: [292/4735] :: Job [1/1] :: 292 req/sec :: Duration: [0:00:01] :: Er:: Progress: [320/4735] :: Job [1/1] :: 320 req/sec :: Duration: [0:00:01] :: Er:: Progress: [360/4735] :: Job [1/1] :: 360 req/sec :: Duration: [0:00:01] :: Er:: Progress: [360/4735] :: Job [1/1] :: 360 req/sec :: Duration: [0:00:01]
SUNWmc [Status: 200, Size: 26, Words: 1, Lines: 2]
:: Progress: [364/4735] :: Job [1/1] :: 364 req/sec :: Duration: [0:00:01] :: Er:: Progress: [400/4735] :: Job [1/1] :: 400 req/sec :: Duration: [0:00:01] :: Er:: Progress: [416/4735] :: Job [1/1] :: 416 req/sec :: Duration: [0:00:01]
kappa@kappa-Aspire-Z5600:~$ curl -d "y=SUNWmc" 94.237.50.242:56466/post.php
HTB{p0st_fuzz1ng_succ3ss}
kappa@kappa-Aspire-Z5600:~$
Virtual Host and Subdomain Fuzzing
Using GoBuster against the target system to fuzz for vhosts using the common.txt wordlist, which vhost starts with the prefix "web-"? Respond with the full vhost, eg web-123.inlanefreight.htb.
kappa@kappa-Aspire-Z5600:~$ gobuster vhost -u http://inlanefreight.htb:35301 -w /home/kappa/SecLists-master/Discovery/Web-Content/common.txt --append-domain | grep "web-"
web-beans.inlanefreight.htb
Using GoBuster against inlanefreight.com to fuzz for subdomains using the subdomains-top1million-5000.txt wordlist, which subdomain starts with the prefix "su"? Respond with the full vhost, eg web.inlanefreight.com.
kappa@kappa-Aspire-Z5600:~$ gobuster dns -d inlanefreight.com -w /home/kappa/SecLists-master/Discovery/DNS/subdomains-top1million-5000.txt
support.inlanefreight.com
Validating Findings
Fuzz the target system using directory-list-2.3-medium.txt, looking for a hidden directory. Once you have found the hidden directory, responsibly determine the validity of the vulnerability by analyzing the tar.gz file in the directory. Answer using the full Content-Length header, eg "Content-Length: 1337"
kappa@kappa-Aspire-Z5600:~$ ffuf -w /home/kappa/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.50.242:46015/FUZZ -ic
:: Progress: [1588/220546] :: Job [1/1] :: 264 req/sec :: Duration: [0:00:06] :::: Progress: [1616/220546] :: Job [1/1] :: 269 req/sec :: Duration: [0:00:06] :::: Progress: [1646/220546] :: Job [1/1] :: 274 req/sec :: Duration: [0:00:06]
backup [Status: 301, Size: 0, Words: 1, Lines: 1]
:: Progress: [1652/220546] :: Job [1/1] :: 275 req/sec :: Duration: [0:00:06] :::: Progress: [1663/220546] :: Job [1/1] :: 277 req/sec :: Duration: [0:00:06] :::: Progress: [1693/220546] :: Job [1/1] :: 282 req/sec :: Duration: [0:00:06] ::
-SNIP-
:: Progress: [77803/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:05:12] ::: Progress: [77810/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:05:12] ::: Progress: [77837/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:05:12]
http://94.237.50.242:46015/ur-hiddenmember/
:: Progress: [77805/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:05:12] ::: Progress: [77810/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:05:13] ::: Progress: [77839/220546] :: Job [1/1] :: 249 req/sec :: Duration: [0:05:13]
kappa@kappa-Aspire-Z5600:~$ curl -I http://94.237.50.242:46015/ur-hiddenmember/backup.tar.gz
HTTP/1.1 200 OK
Content-Type: application/x-gtar-compressed
ETag: "1668958902"
Last-Modified: Thu, 01 Aug 2024 13:38:21 GMT
Content-Length: 210
Accept-Ranges: bytes
Date: Mon, 30 Dec 2024 23:58:51 GMT
Server: lighttpd/1.4.76
kappa@kappa-Aspire-Z5600:~$
Content-Length: 210