TryHackMe: Advent of Cyber 2 [Day 4] Santa’s Watching

Room: Advent of Cyber 2

Difficulty: Beginner

We’re going to be taking a look at some of the fundamental tools used in web application testing. You’re going to learn how to use Gobuster to enumerate a web server for hidden files and folders to aid in the recovery of Elf’s forums. Later on, you’re going to be introduced to an important technique that is fuzzing, where you will have the opportunity to put theory into practice.

Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf’s forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD.

Question #1 Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)

Another web challenge today. Here is the webpage associated with today’s IP address:

But the first question actually wants us to fuzz a different website, http://shibes.xyz/api.php.

Since it’s fake, you can’t actually do it, but just imagine what your command would look like using the materials included with the challenge:

wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ

Question #2 Use GoBuster to find the API directory. What file is there?

I ran GoBuster on the main page:

Then headed over to /api where I found the file I needed, site-log.php

Question #3 Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

I ran the wfuzz command and saw one that looked a bit different than the rest. The date 20201125 shows 13 characters, so you can tell that it is not empty like the rest:

Navigate there in your web browser and you will see the flag!

Happy Hacking! ❤

CTF Writeups to facilitate cyber education.