Log into HTB, launch the "Web Fuzzing" module, and start typing ffuf . The flag is waiting behind a hidden directory you haven't discovered yet. Happy fuzzing, and hack the box!
The assessment may hide a second application on a different Virtual Host . htb skills assessment - web fuzzing
ffuf -u http://10.10.10.200/api/v1/status?FUZZ=1 -w burp-parameter-names.txt -mr 'error' You find user_id . Now fuzz the value: Log into HTB, launch the "Web Fuzzing" module,
#!/bin/bash TARGET=$1 WORDLIST="/usr/share/seclists/Discovery/Web-Content/common.txt" echo "[+] Fuzzing directories on $TARGET" ffuf -u http://$TARGET/FUZZ -w $WORDLIST -c -t 50 -fc 404,403 -o dirs.json Log into HTB
You need to guess the HTTP parameter the script expects.