TryHackMe — Advent of Cyber 2 — Day 4

Good morning all,

We will be hitting the Day 4 box “Santa’s Watching”. From the intro it appears that this box will be focused on fuzzing web directories to try and find some ‘hidden’ ones. It mentions gobuster and wfuzz. I’m currently semi used to gobuster. Kind of my goto for directory enumeration, although I need more practice so I will use that tool for this one as well.

Well lets get to it.

When we enter to site, we are greeted with this…

Anyway, lets get to the gobuster part.

gobuster dir -e -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.164.114-e, --expanded                      Expanded mode, print full URLs
-w, --wordlist string Path to the wordlist

Not too long into the scan, even with the crap internet, we get a hit we can check, and also they hint at in the intro and questions. Navigating to the site, gets us this…

This answers us question 2.

We will go back to question 1 — forcing my hand to use wfuzz

root@kali:/mnt/hgfs/shared_folder/tryhackme# wfuzz -hWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
* *
* Version up to 1.4c coded by: *
* Christian Martorella (cmartorella@edge-security.com) *
* Carlos del ojo (deepbit@gmail.com) *
* *
* Version 1.4d to 2.4.5 coded by: *
* Xavier Mendez (xmendez@edge-security.com) *
********************************************************
Usage: wfuzz [options] -z payload,params <url>FUZZ, ..., FUZnZ wherever you put these keywords wfuzz will replace them with the values of the specified payload.
FUZZ{baseline_value} FUZZ will be replaced by baseline_value. It will be the first request performed and could be used as a base for filtering.
Options:
-h : This help
--help : Advanced help
--version : Wfuzz version details
-e <type> : List of available encoders/payloads/iterators/printers/scripts

-c : Output with colors
-v : Verbose information.
--interact : (beta) If selected,all key presses are captured. This allows you to interact with the program.

-p addr : Use Proxy in format ip:port:type. Repeat option for using various proxies.
Where type could be SOCKS4,SOCKS5 or HTTP if omitted.

-t N : Specify the number of concurrent connections (10 default)
-s N : Specify time delay between requests (0 default)
-R depth : Recursive path discovery being depth the maximum recursion level.
-L, --follow : Follow HTTP redirections

-u url : Specify a URL for the request.
-z payload : Specify a payload for each FUZZ keyword used in the form of type,parameters,encoder.
A list of encoders can be used, ie. md5-sha1. Encoders can be chained, ie. md5@sha1.
Encoders category can be used. ie. url
Use help as a payload to show payload plugin's details (you can filter using --slice)
-w wordlist : Specify a wordlist file (alias for -z file,wordlist).
-V alltype : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.
-X method : Specify an HTTP method for the request, ie. HEAD or FUZZ

-b cookie : Specify a cookie for the requests
-d postdata : Use post data (ex: "id=FUZZ&catalogue=1")
-H header : Use header (ex:"Cookie:id=1312321&user=FUZZ")
--basic/ntlm/digest auth : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"

--hc/hl/hw/hh N[,N]+ : Hide responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--sc/sl/sw/sh N[,N]+ : Show responses with the specified code/lines/words/chars (Use BBB for taking values from baseline)
--ss/hs regex : Show/Hide responses with the specified regex within the content

Here is the question for the machine:

“Given the URL “http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!”

This is the site I used to learn a little on wfuzz — https://wfuzz.readthedocs.io/en/latest/user/basicusage.html

Alright so lets try and break down what we need. We need to use the ‘-z type,paramter’ flag, URL and finally the breed parameter for the api. It took me a while to figure this one out as I’ve never played with it, but TryHackMe took my answer.

wfuzz -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ

Now we need to adapt this to answer question 3: Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

so we can start with this command

wfuzz -z TYPE,PARAM http://10.10.164.114/api/site-log.php?date=FUZZ

Looking at the payloads…

root@kali:/mnt/hgfs/shared_folder/tryhackme# wfuzz -e payloadsWarning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.Available payloads:Name            | Summary                                                                           
------------------------------------------------------------------------------------------------------
burpitem | This payload loads request/response from items saved from Burpsuite.
burpstate | Returns fuzz results from a Burp state.
hexrange | Returns each hex number of the given hex range.
autorize | Returns fuzz results' from autorize.
stdin | Returns each item read from stdin.
wfuzzp | Returns fuzz results' URL from a previous stored wfuzz session.
burplog | Returns fuzz results from a Burp log.
file | Returns each word from a file.
guitab | This payload reads requests from a tab in the GUI
iprange | Returns list of IP addresses of a given IP range.
bing | Returns URL results of a given bing API search (needs api key).
list | Returns each element of the given word list separated by -.
ipnet | Returns list of IP addresses of a network.
dirwalk | Returns filename's recursively from a local directory.
hexrand | Returns random hex numbers from the given range.
buffer_overflow | Returns a string using the following pattern A * given number.
range | Returns each number of the given range.
names | Returns possible usernames by mixing the given words, separated by -, using know
| n typical constructions.
shodanp | Returns URLs of a given Shodan API search (needs api key).
permutation | Returns permutations of the given charset and length.

This is given to us in the intro “We also know that the API takes a date in the form of YYYYMMDD.”

wfuzz -z range,1950-2050 -z range,01-12 -z range,01-31 http://10.10.164.114/api/site-log.php?date=FUZZFUZ2ZFUZ3Z

Whelp, we tried this, gave us way too much output.. We need to now find a way to cut down on the output that doesn’t give us any results.

Added a ‘ — hl 0’ to to my command, doesn’t show the lines with 0 lines.

wfuzz -z range,1950-2050 -z range,01-12 -z range,01-31 
--hl 0 http://10.10.164.114/api/site-log.php?date=FUZZFUZ2ZFUZ3Z

The output from the command looks like this —

So I was worried about what was being sent over the net.. got some pcaps just to verify everything was working right..

Anyhow, we got zero responses. so.. lets take another look at what could be wrong.

Alrighty, we changed the zero lines flag to zero characters.

wfuzz -z range,1950-2050 -z range,01-12 -z range,01-31 --hh 0 http://10.10.164.114/api/site-log.php?date=FUZZFUZ2ZFUZ3Z

We got a result! If you navigate to that page, you will get the final flag. As always I’ll leave that part to you. As always, Best of luck

Until next time,

-3lduderino