Santa's watching

Web Exploitation - gobuster ; wfuzz

Video

Resources

gobuster recommended wordlist to use: big.txt

Challenge

gobuster dir -u http://example.com -w wordlist.txt -x php,txt,html

Recommend wordlist https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt

wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:80/FUZZ/note.txt

wfuzz -c -z file,mywordlist.txt -d “username=FUZZ&password=FUZZ” -u http://shibes.thm/login.php

Recommended wordlist https://assets.tryhackme.com/additional/cmn-aoc2020/day-4/wordlist

Deploy your AttackBox

No answer needed

Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ

Use GoBuster (against the target you deployed -- not the shibes.xyz domain) to find the API directory. What file is there?

wget https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/big.txt

gobuster dir -u http://10.10.136.48/ -w big.txt -x php

site-log.php

Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

wfuzz -v -c -z file,wordlist -u http://10.10.136.48/api/site-log.php?date=FUZZ

curl http://10.10.136.48/api/site-log.php?date=20201125

THM{D4t3_AP1}

PreviousChristmas ChaosNextSomeone stole Santa's gift list!

Last updated

Was this helpful?