Try Hack Me
  • Try Hack Me
  • Rooms
  • Tutorial
    • Welcome to TryHackMe
    • Welcome
    • Tutorial
    • Starting Out In Cyber Sec
    • Welcome
  • Capture The Flag
    • Advent of Cyber
      • Task 1 - 10
      • Task 11 - 20
      • Task 21 - 29
      • PDF - materials
    • Anonymous
    • Mnemonic
    • Bounty Hacker
    • Ignite
    • Pickle Rick
    • Simple CTF
    • Agent Sudo
    • Mr. Robot
  • Advent of Cyber II
    • A Christmas Crisis
    • The Elf Strikes Back!
    • Christmas Chaos
    • Santa's watching
    • Someone stole Santa's gift list!
    • Be careful with what you wish on a Christmas night
    • The Grinch Really Did Steal Christmas
    • What's Under the Christmas Tree?
    • Anyone can be Santa!
    • Don't be sElfish!
    • The Rogue Gnome
    • Ready, set, elf.
    • Coal for Christmas
    • Where's Rudolph?
    • There's a Python in my stocking!
    • Help! Where is Santa?
    • ReverseELFneering
    • The Bits of Christmas
    • The Naughty or Nice List
    • PowershELlF to the rescue
    • Time for some ELForensics
    • Elf McEager becomes CyberElf
    • The Grinch strikes again!
    • The Trial Before Christmas
    • Thank You
  • Linux
    • Linux Fundamentals Part 1
    • Linux Fundamentals Part 2
    • Linux Fundamentals Part 3
    • LinuxCTF - Linux Challenges
    • Learn Linux - wip
    • Find - wip
  • Windows
    • Intro to Windows
  • OSINT
    • Introductory Researching - wip
    • Google Dorking
    • OhSINT
    • Sublist3r
    • Searchlight - IMINT
    • Geolocating Images
  • Crypto
    • Hashing - Crypto 101
    • Encryption - Crypto 101
    • CrackTheHash - wip
  • Network
    • Introductory Networking
    • Nmap
    • Network Services - wip
    • Network Services 2 - wip
    • Networking - wip
    • Nmap - wip
    • TOR
  • Web
    • Web Fundamentals
  • Pentest
    • Pentest questionaire
  • Hardware
    • Dumping Router Firmware
  • HELP
  • Reverse
    • Reversing ELF
Powered by GitBook
On this page
  • Video
  • Resources
  • Challenge
  • Deploy your AttackBox
  • Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)
  • Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?
  • Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

Was this helpful?

  1. Advent of Cyber II

Santa's watching

Web Exploitation - gobuster ; wfuzz

PreviousChristmas ChaosNextSomeone stole Santa's gift list!

Last updated 4 years ago

Was this helpful?

Video

Resources

Challenge

gobuster dir -u http://example.com -w wordlist.txt -x php,txt,html

Recommend wordlist https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:80/FUZZ/note.txt

wfuzz -c -z file,mywordlist.txt -d “username=FUZZ&password=FUZZ” -u http://shibes.thm/login.php

Recommended wordlist https://assets.tryhackme.com/additional/cmn-aoc2020/day-4/wordlist

Deploy your AttackBox

No answer needed

Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ

Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?

wget https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt

gobuster dir -u http://10.10.136.48/ -w big.txt -x php

site-log.php

Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

wfuzz -v -c -z file,wordlist -u http://10.10.136.48/api/site-log.php?date=FUZZ

curl http://10.10.136.48/api/site-log.php?date=20201125

THM{D4t3_AP1}

gobuster recommended wordlist to use:

big.txt