Understanding Fuzzing in Cybersecurity | TryHackMe Advent of Cyber

فرضية

In this video walkthrough, we covered the concept of fuzzing in computer programs and web applications. We used an example lab from TryHackMe Advent of Cyber 2 / Day 4 / Santa’s watching

وصف التحدي

We’re going to be taking a look at some of the fundamental tools used in web application testing. You’re going to learn how to use Gobuster to enumerate a web server for hidden files and folders to aid in the recovery of Elf’s forums. Later on, you’re going to be introduced to an important technique that is fuzzing, where you will have the opportunity to put theory into practice.

Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf’s forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD

احصل على ملاحظات شهادة OSCP

غرفة وصلة

Recommended Rooms:

TryHackMe | ZTH: Web 2

TryHackMe | CC: Pen Testing

أسئلة التحدي

• Given the URL “http://shibes.xyz/api.php“, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

ملحوظة: For legal reasons, do لا actually run this command as the site in question has not consented to being fuzzed!

• Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?
• Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Answers / Day 4

تجول الفيديو