If you discover a directory like /backup , you should recursively fuzz inside it to find deeper content. Ffuf supports recursive fuzzing with the -recursion flag:
According to the module description, the skills assessment tests your ability to:
Before you can successfully complete the assessment, you must understand several core concepts that underpin all web fuzzing operations.
Sometimes different status codes return the same size, but the content differs. Use -fw to filter by word count: htb skills assessment - web fuzzing
Several community members have published their solutions to the Web Fuzzing Skills Assessment. These can serve as excellent references if you get stuck:
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
The suggested wordlist for this is alphanum-case.txt from SecLists. This type of challenge requires you to think beyond simple directory fuzzing and apply fuzzing to request components like cookies and headers. If you discover a directory like /backup ,
: Use ffuf with the -H "Host: FUZZ.academy.htb" header.
-H : Adds or modifies HTTP headers (crucial for VHost fuzzing or passing authorization tokens). -d : Sends POST data for testing forms or API endpoints. -X : Specifies the HTTP method (GET, POST, PUT, DELETE). Filtering the Noise
Using a massive wordlist like directory-list-lowercase-2.3-big.txt on a slow connection or with rate limits can take hours. Use -fw to filter by word count: Several
Mastering the HTB Academy Web Fuzzing Skills Assessment requires a systematic approach to uncovering hidden layers of a web application using tools like
The Web Fuzzing Skills Assessment is the final, hands-on exercise at the end of the Web Fuzzing module on HTB Academy. You are presented with a target IP address or domain and a simple instruction: after completing all steps in the assessment, you will be presented with a page that contains a flag in the format HTB... . Your task is to find that flag.