Premise

In this video walkthrough, we covered the concept of fuzzing in computer programs and web applications. We used an example lab from TryHackMe Advent of Cyber 2 / Day 4 / Santa’s watching

Challenge Description

We’re going to be taking a look at some of the fundamental tools used in web application testing. You’re going to learn how to use Gobuster to enumerate a web server for hidden files and folders to aid in the recovery of Elf’s forums. Later on, you’re going to be introduced to an important technique that is fuzzing, where you will have the opportunity to put theory into practice.

Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf’s forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD

Get OSCP Certificate Notes

Room Link

Recommended Rooms:

TryHackMe | ZTH: Web 2

TryHackMe | CC: Pen Testing

Challenge Questions

  • Given the URL “http://shibes.xyz/api.php“, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

  • Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?
  • Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Answers / Day 4

Deploy your AttackBox (the blue “Start AttackBox” button) and the tasks machine (green button on this task) if you haven’t already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP (MACHINE_IP) into the browser search bar.

Given the URL “http://shibes.xyz/api.php“, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?

Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Video Walkthrough

 

, , ,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles