TryHackMe ffuf Walkthrough

Hi, Hackers!! Today we will learn about ffuf by completing a TryHackMe room named ffuf. This room is created by noraj. After completing the room, you will get a basic idea how to use ffuf. Then you can the advance stuff yourself.

Introduction

Ffuf is short for Fuzz Faster U Fool. It's a tool used for web enumeration, fuzzing and directory brute-forcing.

To install ffuf:

ffuf/ffuf: Fast web fuzzer written in Go (github.com)

To install Seclists:

danielmiessler/SecLists: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. (github.com)

Basics

Every tool has help page , so is ffuf. To find the page, the command is as usual: ffuf -h 

If you are in a hurry and just want to learn the most basic thing of this tool, then this tool also uses -u flag for specifying url and -w flag for wordlist like other tools. You also have to specify FUZZ keyword. This keyword is used to define where the wordlist entries will be injected.

If you don't want to use FUZZ keyword, then you can use custom keyword to your likings. You just have to define the keyword like this: wordlist.txt:BINGO 

$ ffuf -u http://machine_ip/BINGO -w /usr/share/seclists/Discovery/Web-content/big.txt:BINGO 

1. What is the first file you found with a 200 status code?

Answer: favicon.ico

Finding Pages And Directories

If you want to find extensions of a directory, you can do that also. You just have to specify the FUZZ keyword at the end of the directory.

$ ffuf -u http://10.10.10.125/indexFUZZ -w .........../web-extensions.txt  

If you want to specify extensions, you can use -e flag.

$ ffuf -u http://10.10.10.125/FUZZ -w ........../common.txt -e .php, .txt 

2. What text file did you find?

$ ffuf -u http://10.10.40.125/FUZZ -w /home/user/Downloads/SecLists/Discovery/Web-Content/common.txt 

Answer: robots.txt

3. What two file extensions were found for the index page?

Answer: php,phps

4. What page has a size of 4840?

Answer: about.php

5. How many directories are there?

$ ffuf -u http://10.10.40.125/FUZZ -w /home/user/Downloads/SecLists/Discovery/Web-content/common.txt 

Answer: 4

Using Filters

Sometimes we get results full of unnecessary things. We can filter our directory search result by response status, response size etc. Let's fire up ffuf -h one more time.

If you use -fc flag, you won't see any result regarding that specified status code. Example: -fc 403 .

If you want any specific status code result, you should use -mc (match code) flag. This will show you results regarding that specified code. Such as -mc 200 .

You can also use regexp with -mr and -fr flag.

6. After applying the fc filter, how many results were returned?

Answer: 11

7. After applying the fc filter, how many results were returned?

Answer: 6

8. Which valuable file would have been hidden if you used -fc 403 instead of -fr ?

Answer: wp-forum.phps

Fuzzing Parameters

You can also fuzz for parameters with ffuf. Discovering a vulnerable parameter can lead you to file inclusion, path disclosure, XSS, SQL injection or even command injection. All you have to do is to place the FUZZ keyword in the right place.

You can also generate the wordlist yourself and use that to fuzz. 

9. What is the parameter you found?

Answer: id

10. What is the highest valid id?

Answer: 14

11. What is Dummy's password?

Here, -X flag is used to specify the request method. -d is used to specify data and -H for custom header. 

Answer: p@ssword

Finding Vhosts and Subdomains

To find subdomains of a website:

$ ffuf -u http://FUZZ.mydomain.com -c -w ........../wordlist.txt 

$ ffuf -u http://mydomain.com -c -w ........./wordlist.txt -H 'Host: FUZZ.mydomain.com' 

Proxifying ffuf traffic 

Whether it's for network pivoting or for using BurpSuite plugins you can send all the ffuf traffic through a web proxy(HTTP or SOCKS5).

$ ffuf -u http://machine_ip/ -c -w ......../common.txt -x http://127.0.0.1:8080 

It's also possible to send only matches to your proxy for replaying:

$ ffuf -u http://machine_ip/ -c -w ......./common.txt -replay-proxy http://127.0.0.1:8080 

Reviewing the options

12. How do you save the output to a markdown file(ffuf.md)?

Answer: -of md -o ffuf.md

13. How do you re-use a raw http request file?

Answer: -request

14. How do you strip comments from a wordlist?

Answer: -ic

15. How do you read a wordlist from STDIN?

Answer: -w -

16. How do you print full URLs and redirect locations?

Answer: -v 

17. What option would you use to follow redirects?

Answer: -r 

18. How do you enable colorized output?

Answer: -c

That's all for today. Happy Hacking😊😊