Prémisse

In this video walkthrough, we covered the concept of fuzzing in computer programs and web applications. We used an example lab from TryHackMe Advent of Cyber 2 / Day 4 / Santa’s watching

Description du défi

We’re going to be taking a look at some of the fundamental tools used in web application testing. You’re going to learn how to use Gobuster to enumerate a web server for hidden files and folders to aid in the recovery of Elf’s forums. Later on, you’re going to be introduced to an important technique that is fuzzing, where you will have the opportunity to put theory into practice.

Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf’s forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD

Obtenir les notes du certificat OSCP

Chambre Lien

Recommended Rooms:

TryHackMe | ZTH: Web 2

TryHackMe | CC: Pen Testing

Questions de défi

  • Given the URL “http://shibes.xyz/api.php“, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do pas actually run this command as the site in question has not consented to being fuzzed!

  • Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?
  • Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Answers / Day 4

Deploy your AttackBox (the blue “Start AttackBox” button) and the tasks machine (green button on this task) if you haven’t already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP (MACHINE_IP) into the browser search bar.

Given the URL “http://shibes.xyz/api.php“, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do pas actually run this command as the site in question has not consented to being fuzzed!

Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?

Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Vidéo pas à pas

 

, , ,
Montrer les Commentaires

Motasem

A propos de l'Auteur

Je crée des notes de cybersécurité, des notes de marketing numérique et des cours en ligne. Je fournis également des conseils en marketing numérique, y compris, mais sans s'y limiter, le référencement, les publicités Google et Meta et l'administration CRM.

Voir les Articles