HTB ACADEMY-Web Fuzzing WRITE UP
准备工作
- 基本信息
- 操作对象:Vmware Station(Kali-Linux)
- 目标实例对象:178.128.46.49:30893/academy.htb
- 安装单词列表(WordList),例如Github SecLists,本次需要的单词列表文件如下:
| 文件名 | 用途 |
|---|---|
| /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt | web目录和页面 |
| /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt | web扩展名/后缀 |
| /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt | 子域名 |
| /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt | web传递参数 |
| /opt/useful/SecLists/Usernames/xato-net-10-million-usernames.txt | 用户名 |
- 添加DNS到本地文件
sudo sh -c 'echo "178.128.46.49 academy.htb" >> /etc/hosts'
第一个问题
Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)
直接子域和虚拟主机一起测试,发现子域模糊测试报错,虚拟主机模糊测试会给出三个域名。
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 985
答案:test,archive,faculty(这个忘记截过程图了TAT)
然后把这三个域名添加到本地DNS记录/etc/hosts文件内
sudo sh -c 'echo "178.128.46.49 test.academy.htb" >> /etc/hosts'
sudo sh -c 'echo "178.128.46.49 archive.academy.htb" >> /etc/hosts'
sudo sh -c 'echo "178.128.46.49 faculty.academy.htb" >> /etc/hosts'
第二个问题
Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?
扩展名/后缀名模糊测试,因为现在还不知道目录或者页面,所以先对上个问题的子域index进行后缀名测试。
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://faculty.academy.htb:30893/indexFUZZ
另外两个域test和archive也只报了这三种后缀其中之二(没有.php7)。
答案:.php,.php7,.phps
第三个问题
One of the pages you will identify should say 'You don't have access!'. What is the full page URL?
直接开始省心的递归模糊测试,很好,可以看到faculty.academy.htb/courses有戏,并且ffuf已经自动把新的递归任务加入了队列,一切都很完美。但是这里实在是太慢了!!!(区区17万个包我跑了至少1个小时),而且因为我第一个跑的是.php后缀只得到个毫无用处的index.php页面,这显然不是想要的答案(悲伤)。
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://academy.htb/FUZZ -recursion -recursion-depth 1 -e .php -v
接下来跑.php7后缀,锁定域名范围faculty.academy.htb,让它稍微跑快点!!
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb/courses/FUZZ -recursion -recursion-depth 1 -e .php7 -v
终于跑出来一个结果,真他妈令人感动,然后用浏览器打开下瞅瞅啥样。好的,这就是问题说的“没有权限的页面”!
答案:http://faculty.academy.htb:PORT/courses/linux-security.php7
第四个问题
In the page from the previous question, you should be able to find multiple parameters that are accepted by the page. What are they?
参数模糊测试,测GET方法,筛掉错误大小的包(这里是774)
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -w http://faculty.academy.htb/courses/linux-security.php7?FUZZ=KEY -fs 774
喵喵喵?GET只有一个参数就是user,但是问题明显问的是多个参数,那只能继续测POST方法了,筛掉错误大小的包(这里是774)。可以看到POST方法能传递的有俩参数
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -w http://faculty.academy.htb/courses/linux-security.php7 -X POST -d 'FUZZ=KEY' -H 'Content-Type: application/x-www-form-urlencoded' -fs 774
答案:user,username
第五个问题
Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?
原则上来说都应该测,但是POST方法比GET方法多了username参数入口,所以优先测这个,筛掉错误大小的包(这里是781)(这里的截图改端口是因为前面测太久,重新申请了一个目标实例)。
ffuf -w /opt/useful/SecLists/Usernames/xato-net-10-million-usernames.txt:FUZZ -u http://faculty.academy.htb/courses/linux-security.php7 -X POST -d 'username=KEY' -H 'Content-Type: application/x-www-form-urlencoded' -fs 781
可以看到参数值为harry,因为是POST传参,所以用curl看一下页面内容。
curl http://faculty.academy.htb/courses/linux-security.php7 -X POST -d 'username=harry' -H 'Content-Type: application/x-www-form-urlencoded'
答案:HTB{w3b_fuzz1n6_m4573r}
浙公网安备 33010602011771号