Marial's Notes
  • Hello!
  • Pentesterlab Labs
    • Recon Badge
      • recon_00 (/robots.txt)
      • recon_01 (404 pages)
      • recon_02 (/.well-known/security.txt)
      • recon_03 (directory listing)
      • recon_04 (/admin)
      • recon_05 (wfuzz)
      • recon_06 (vhost)
      • recon_07 (vhost over TLS)
      • recon_08 (alt name)
      • recon_09 (header)
      • recon_10 (visual recon)
      • recon_11 (virtual host brute)
      • recon_12 (load balance)
      • recon_13 (TXT)
      • recon_14 (zone transfer)
      • recon_15 (int zone transfer)
      • recon_16 (bind version)
      • recon_17 (dev name)
      • recon_18 (public repos)
      • recon_19 (find email)
      • recon_20 (check branches 1)
      • recon_21 (check branches 2)
      • recon_22 (deleted file)
      • recon_23 (commit message)
      • recon_24 (assets)
      • recon_25 (S3)
      • recon_26 (JS)
  • TryHackMe Rooms
    • Basic Pentesting
    • EasyPeasy
    • Kenobi
    • Vulnversity
Powered by GitBook
On this page
  • OBJECTIVE
  • FUZZING DIRECTORIES
  • SOLUTION

Was this helpful?

  1. Pentesterlab Labs
  2. Recon Badge

recon_05 (wfuzz)

Previousrecon_04 (/admin)Nextrecon_06 (vhost)

Last updated 6 months ago

Was this helpful?

View the exercise here: PentesterLab: Recon 05

OBJECTIVE

For this challenge, your goal is to find a directory that is not directly accessible.

FUZZING DIRECTORIES

When accessing a new webserver, it often pays off to brute force directories. To do this, you can use many tools like patator, FFUF, or WFuzz (amongst many others).

SOLUTION

You can use wfuzz, ffuf, or patator.

For wfuzz: https://wfuzz.readthedocs.io/en/latest/

In Kali machine:

We'll change the directory to /usr/bin and then check wfuzz.

cd /usr/bin
./wfuzz

To discover wordlists to use for fuzzing:

ls /usr/share/wfuzz/wordlist/general

We'll use common.txt and enter it in wfuzz.

wfuzz -c -z file,wordlist/general/common.txt --sc 200 http://hackycorp.com/FUZZ/

-c to colorize the output

-z to define the payload type for fuzzing

--sc (show codes) In this case, it will only show responses with 200 OK status

--hc (hide codes) hides responses that match the specified HTTP status codes

Notes:

  • -- take note of the double dash, this is often the cause of errors

  • add slash / at the end of the URL to get exactly 200 rather than 301 responses

From the wfuzz results, we use curl to the directories we've found to get the flag.

curl http://hackycorp.com/admin/
curl http://hackycorp.com/images/
curl http://hackycorp.com/startpage/

We'll see the flag in http://hackycorp.com/startpage/