Understanding Fuzzing in Cybersecurity | TryHackMe Advent of Cyber

Introduction

In this walkthrough, we covered the concept of fuzzing in computer programs and web applications. We used an example lab from TryHackMe Advent of Cyber 2 / Day 4 / Santa’s watching

TryHackMe Advent of Cyber Challenge Description

We’re going to be taking a look at some of the fundamental tools used in web application testing. You’re going to learn how to use Gobuster to enumerate a web server for hidden files and folders to aid in the recovery of Elf’s forums. Later on, you’re going to be introduced to an important technique that is fuzzing, where you will have the opportunity to put theory into practice.

Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf’s forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD

Room Link

Recommended Rooms

TryHackMe | ZTH: Web 2

TryHackMe | CC: Pen Testing

Challenge Questions

• Given the URL “http://shibes.xyz/api.php“, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

• Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?
• Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

What is Fuzzing?

Fuzzing is a technique where you throw a bunch of random or unexpected data at a program and see what happens. The main goals are to:

• Find crashes or bugs.
• Discover vulnerabilities like buffer overflows.
• Uncover hidden directories, files, or sensitive information on websites.
• Identify misconfigurations.
• Find login credentials and other security holes.

I’ll be using a command-line tool called wfuzz, which is great for fuzzing web applications. You can use it to test URL parameters, find usernames and passwords, and discover hidden directories. I’ll also mention gobuster, another tool that’s good for finding directories and files.

A Practical Fuzzing Example

Let’s get our hands dirty. I’ll show you how I use gobuster and wfuzz in a real scenario.

First, I start with some reconnaissance using gobuster to find hidden directories and files on the target web server. In this case, I found an api directory and a file called sitelock.php.

The sitelock.php file looked like a log file, which made me think it might accept a date parameter to search the logs. This is a perfect target for fuzzing!

Next, I put together a wfuzz command to fuzz the date parameter. I used a wordlist of different date formats and told wfuzz to try each one.

By looking at the wfuzz output, I could see that most of the responses had a character count of zero. But one response had 13 characters, which was a clear sign that I had found something interesting. And sure enough, that successful fuzzing attempt revealed the flag!

A key takeaway here is that the wordlist you use is super important. If you’re fuzzing a date parameter, use a date wordlist. If you’re fuzzing a user ID, use a numerical wordlist, and so on.

Technical Commands Used

Here are the technical commands I used in the terminal during the demonstration:

• sudo gobuster dir -u [URL] -w [wordlist path] -x [extensions]
• head -n5 [wordlist]
• wfuzz -c -z file [wordlist path] -d "date=FUZZ" -u [URL]

Room Answers / Day 4

Video Walkthrough