You need to guess the HTTP parameter the script expects.
ffuf -u http://10.10.10.200/hidden/FUZZ -w directory-list-2.3-medium.txt # Finds: /hidden/backup.zip (200) Download backup.zip . Unzip reveals creds.txt containing user:pass and a note: "API endpoint at /api/v1/status". htb skills assessment - web fuzzing
If you find login.php , immediately check for login.php.bak or login.php~ . These often contain raw credentials or source code revealing the next step. This is where beginners fail the HTB assessment. You found a page like http://target.htb/api.php . It returns a blank page. Now what? You need to guess the HTTP parameter the script expects
echo "[+] Fuzzing extensions (php, bak, txt)" ffuf -u http://$TARGET/indexFUZZ -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt -c If you find login
If you have reached the "Web Fuzzing" skills assessment, you have moved past the basics of SQLi and XSS. You are now entering the world of automated discovery—where hidden directories, backup files, virtual hosts, and parameter injection become your primary attack vectors.
nmap -p- --min-rate 1000 10.10.10.200 # Output: 80/tcp open http