In this video walk-through, we covered BurpSuite Intruder, Comparer, Sequencer and Extender as part of TryHackMe Junior Penetration Tester Pathway.. This was part of TryHackMe Burp Suite: Intruder.

Get Blue Team Study Notes

Burp Suite Practical Notes

The Complete Practical Metasploit Framework Course

Challenge Description

Learn how to use Intruder to automate requests in Burp Suite & Take a dive into some of Burp Suite’s lesser-known modules.

Video Highlights

Room Answers

Ques 1: Which section of the Options sub-tab allows you to control what information will be captured in the Intruder results?
Ans 1: attack results

Ques 2: In which Intruder sub-tab can we define the “Attack type” for our planned attack?
Ans 2: positions

Ques 3: If you were using Sniper to fuzz three parameters in a request, with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?
Ans 3: 300

Ques 4: How many sets of payloads will Sniper accept for conducting an attack?
Ans 4: 1

Ques 5: Sniper is good for attacks where we are only attacking a single parameter, aye or nay?
Ans 5: aye

Ques 6: What would the body parameters of the first request that Burp Suite sends be?
Ans 6: username=ADMIN&password=ADMIN

Ques 7: What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?
Ans 7: 20

Ques 8: We have three payload sets. The first set contains 100 lines; the second contains 2 lines; and the third contains 30 lines. How many requests will Intruder make using these payload sets in a Cluster Bomb attack?
Ans 8: 6000

Ques 9: Which payload type lets us load a list of words into a payload set?
Ans 9: simple list

Ques 10: Which Payload Processing rule could we use to add characters at the end of each payload in the set?
Ans 10: add suffix

Ques 11: Which attack type is best suited for this task?
Ans 11: sniper

Ques 12: Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag. What is the flag?
Ans 12: THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzJl}

New Version Answers

In which Intruder tab can we define the “Attack type” for our planned attack?

positions

What symbol defines the start and the end of a payload position?

§

Which Payload processing rule could we use to add characters at the end of each payload in the set?

add suffix

If you were using Sniper to fuzz three parameters in a request with a wordlist containing 100 words, how many requests would Burp Suite need to send to complete the attack?

300

How many sets of payloads will Sniper accept for conducting an attack?

1

What would the body parameters of the first request that Burp Suite sends be?

username=admin&password=admin

What is the maximum number of payload sets we can load into Intruder in Pitchfork mode?

20

We have three payload sets. The first set contains 100 lines, the second contains 2 lines, and the third contains 30 lines.

How many requests will Intruder make using these payload sets in a Cluster bomb attack?

6000

What attack type cycles through the payloads inserting one payload at a time into each position defined in the request?

sniper

What username and password combination indicates a successful login attempt? The answer format is “username:password”.

m.rivera:letmein1

Which attack type is best suited for this task?

sniper

Either using the Response tab in the Attack Results window or by looking at each successful (i.e. 200 code) request manually in your browser, find the ticket that contains the flag.

What is the flag?

THM{MTMxNTg5NTUzMWM0OWRlYzUzMDVjMzjl}

What username and password combination indicates a successful login attempt? The answer format is “username:password”.

o.bennet:bella1

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles