TryHackMe — Advent of Cyber 2 — Day 4

Good morning all,

We will be hitting the Day 4 box “Santa’s Watching”. From the intro it appears that this box will be focused on fuzzing web directories to try and find some ‘hidden’ ones. It mentions gobuster and wfuzz. I’m currently semi used to gobuster. Kind of my goto for directory enumeration, although I need more practice so I will use that tool for this one as well.

Well lets get to it.

When we enter to site, we are greeted with this…

Anyway, lets get to the gobuster part.

Not too long into the scan, even with the crap internet, we get a hit we can check, and also they hint at in the intro and questions. Navigating to the site, gets us this…

This answers us question 2.

We will go back to question 1 — forcing my hand to use wfuzz

Here is the question for the machine:

“Given the URL “http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!”

This is the site I used to learn a little on wfuzz — https://wfuzz.readthedocs.io/en/latest/user/basicusage.html

Alright so lets try and break down what we need. We need to use the ‘-z type,paramter’ flag, URL and finally the breed parameter for the api. It took me a while to figure this one out as I’ve never played with it, but TryHackMe took my answer.

Now we need to adapt this to answer question 3: Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

so we can start with this command

Looking at the payloads…

This is given to us in the intro “We also know that the API takes a date in the form of YYYYMMDD.”

Whelp, we tried this, gave us way too much output.. We need to now find a way to cut down on the output that doesn’t give us any results.

Added a ‘ — hl 0’ to to my command, doesn’t show the lines with 0 lines.

The output from the command looks like this —

So I was worried about what was being sent over the net.. got some pcaps just to verify everything was working right..

Anyhow, we got zero responses. so.. lets take another look at what could be wrong.

Alrighty, we changed the zero lines flag to zero characters.

We got a result! If you navigate to that page, you will get the final flag. As always I’ll leave that part to you. As always, Best of luck

Until next time,

-3lduderino