In this walk through, we will be going through the ffuf room from Tryhackme. In this room, we will learn to perform Enumeration, Fuzzing and Directory bruteforcing using ffuf. So, let’s get started without any delay.
Table of Contents
Task 1 – [Info] Introduction
Question 1 – I have ffuf installed
Done
Task 2 – [Walkthrough] Basics
Question 1 – What is the first file you found with a 200 status code?
ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/common.txt
favicon.ico
Task 3 – [Walkthrough] Finding pages and directories
Question 1 – What text file did you find?
ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt
robots.txt
Question 2 – What two file extensions were found for the index page?
ffuf -u http://10.10.142.190/indexFUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/web-extensions.txt
php,phps
Question 3 – What page has a size of 4840?
ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt
about.php
Question 4 – How many directories are there?
ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
4
Task 4 – [Walkthrough] Using filters
Question 1 – After applying the fc filter, how many results were returned?
ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403
11
Question 2 – After applying the mc filter, how many results were returned?
ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200
6
Question 3 – Which valuable file would have been hidden if you used -fc 403
instead of -fr?
ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'
wp-forum.phps
Task 5 – [Walkthrough] Fuzzing parameters
Question 1 – What is the parameter you found?
ffuf -u 'http://10.10.252.121/sqli-labs/Less-1/?FUZZ=1' -c -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/burp-parameter-names.txt -fw 39
id
Question 2 – What is the highest valid id?
ruby -e '(0..255).each{|i| puts i}' | ffuf -u 'http://10.10.252.121/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33
14
Question 13 – What is Dummy’s password?
ffuf -u http://10.10.252.121/sqli-labs/Less-11/ -c -w ~/Desktop/Wordlist/SecLists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'
p@ssword
Task 6 – [Walkthrough] Finding vhosts and subdomains
Task 7 – [Walkthrough] Proxifying ffuf traffic
Task 8 – [Questions] Reviewing the options
Question 1 – How do you save the output to a markdown file (ffuf.md)?
-of md ffuf.md
Question 2 – How do you re-use a raw http request file?
-request
Question 3 – How do you strip comments from a wordlist?
-ic
Question 4 – How would you read a wordlist from STDIN?
-w -
Question 5 – How do you print full URLs and redirect locations?
-v
Question 6 – What option would you use to follow redirects?
-r
Question 7 – How do you enable colorized output?
-c
Task 9 – [Info] About the author
Also Read: Tryhackme – Shodan.io
So that was “ffuf” for you. We looked into the basics of ffuf and its usage. Next, we took a dive into the process of finding pages and directories. Then looked into some Filters, Fuzzing and enumeration and Finding Vhosts and Subdomains. At last, we looked into Proxifying ffuf traffic and some useful options. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.