Htb Skills Assessment - Web Fuzzing !link! ⚡

-u : Specifies the target URL. The keyword FUZZ tells the tool exactly where to inject the wordlist entries.

Example: gobuster dir -u http:// -w /usr/share/wordlists/dirb/common.txt

In the HTB ecosystem, the "Skills Assessment" is a purposefully vulnerable machine or web application. It combines multiple fuzzing techniques into a single narrative. You cannot pass it by running a single wordlist. You need a fuzzing workflow .

Vhost fuzzing usually returns a 200 OK for every request because of a default "Not Found" page. You must filter out the default size using -fs (filter size) or -fc (filter code): htb skills assessment - web fuzzing

During the Skills Assessment, many students encounter similar issues:

Web fuzzing is a fundamental technique in web application security testing. It involves automating the injection of unexpected, invalid, or random data into application inputs to discover hidden resources, directories, parameters, and vulnerabilities.

One of the most powerful features in FFUF is recursion, which automatically starts additional scans under any newly identified directories until the entire website and its subdirectories have been fuzzed. This saves immense manual effort and ensures comprehensive coverage. -u : Specifies the target URL

Browse to /api/v1/status . Returns JSON: "error": "missing param" . Fuzz for parameters:

After completing the above steps, you should have discovered several hidden endpoints. The final flag is typically hidden on a page that you uncover through this process. One user described the culmination: “walk through how to use directory, parameter, and vHost fuzzing to uncover hidden endpoints and reach the final flag in a realistic lab environment.”

The wordlists are just as important as the tool. is the industry standard, providing curated lists for directories ( directory-list-2.3-*.txt ), subdomains ( subdomains-top1million-*.txt ), parameters ( burp-parameter-names.txt ), and extensions ( web-extensions.txt ). It combines multiple fuzzing techniques into a single

Next, run a vhost fuzzing scan against the main domain. A typical command might be: ffuf -w /path/to/subdomains.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' You will receive many responses, most of which will be false positives (e.g., a default "not found" page). Note the size of the default response and filter it out using the -fs flag. The surviving results are your valid vhosts. You then add these to your /etc/hosts file as well.

Some students fuzz, find directories, and then stop without actually visiting the discovered pages.

Use -fc (filter code) to hide 403 Forbidden or 404 Not Found if they are flooding your results.

The assessment usually concludes by combining these steps: you find a hidden , which leads to a hidden , which contains a script with a hidden

You find user_id . Now fuzz the value: