Tryhackme - ffuf

Tryhackme – ffuf

In this walk through, we will be going through the ffuf room from Tryhackme. In this room, we will learn to perform Enumeration, Fuzzing and Directory bruteforcing using ffuf. So, let’s get started without any delay.

Tryhackme - ffuf

Task 1 – [Info] Introduction

Question 1 – I have ffuf installed

Done

ffuf install

Task 1 - [Info] Introduction

Task 2 – [Walkthrough] Basics

Question 1 – What is the first file you found with a 200 status code?

ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/common.txt

200 status code file

favicon.ico

Task 2 - [Walkthrough] Basics

Task 3 – [Walkthrough] Finding pages and directories

Question 1 – What text file did you find?

ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt

text file found

robots.txt

Question 2 – What two file extensions were found for the index page?

ffuf -u http://10.10.142.190/indexFUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/web-extensions.txt

file extensions found

php,phps

Question 3 – What page has a size of 4840?

ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-words-lowercase.txt -e .php,.txt

page with size 4840

about.php

Question 4 – How many directories are there?

ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-directories-lowercase.txt

found directories

4

Task 3 - [Walkthrough] Finding pages and directories

Task 4 – [Walkthrough] Using filters

Question 1 – After applying the fc filter, how many results were returned?

ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fc 403

result with fc

11

Question 2 – After applying the mc filter, how many results were returned?

ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -mc 200

result with mc filter

6

Question 3 – Which valuable file would have been hidden if you used -fc 403 instead of -fr?

ffuf -u http://10.10.142.190/FUZZ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'

hidden result

 wp-forum.phps

Task 4 - [Walkthrough] Using filters

Task 5 – [Walkthrough] Fuzzing parameters

Question 1 – What is the parameter you found?

ffuf -u 'http://10.10.252.121/sqli-labs/Less-1/?FUZZ=1' -c -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/burp-parameter-names.txt -fw 39

Parameter found

id

id

Question 2 – What is the highest valid id?

ruby -e '(0..255).each{|i| puts i}' | ffuf -u 'http://10.10.252.121/sqli-labs/Less-1/?id=FUZZ' -c -w - -fw 33

Highest valid ID

14

Question 13 – What is Dummy’s password?

ffuf -u http://10.10.252.121/sqli-labs/Less-11/ -c -w ~/Desktop/Wordlist/SecLists/Passwords/Leaked-Databases/hak5.txt -X POST -d 'uname=Dummy&passwd=FUZZ&submit=Submit' -fs 1435 -H 'Content-Type: application/x-www-form-urlencoded'

Dummy's password

p@ssword 

Task 5 - [Walkthrough] Fuzzing parameters

Task 6 – [Walkthrough] Finding vhosts and subdomains

Task 6 - [Walkthrough] Finding vhosts and subdomains

Task 7 – [Walkthrough] Proxifying ffuf traffic

Task 7 - [Walkthrough] Proxifying ffuf traffic

Task 8 – [Questions] Reviewing the options

Question 1 – How do you save the output to a markdown file (ffuf.md)?

-of md ffuf.md

Question 2 – How do you re-use a raw http request file?

 -request

Question 3 – How do you strip comments from a wordlist?

 -ic

Question 4 – How would you read a wordlist from STDIN?

-w -

Question 5 – How do you print full URLs and redirect locations?

-v

Question 6 – What option would you use to follow redirects?

 -r

Question 7 – How do you enable colorized output?

 -c

Task 8 - [Questions] Reviewing the options

Task 9 – [Info] About the author

Task 9 - [Info] About the author

Also Read: Tryhackme – Shodan.io

So that was “ffuf” for you. We looked into the basics of ffuf and its usage. Next, we took a dive into the process of finding pages and directories. Then looked into some Filters, Fuzzing and enumeration and Finding Vhosts and Subdomains. At last, we looked into Proxifying ffuf traffic and some useful options. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top