Advent Of Cyber 2: [Day 4] Web Exploitation Santa's watching
TryHackMe: https://tryhackme.com/room/adventofcyber2
Task Overview
Introduction & Story:
We're going to be taking a look at some of the fundamental tools used in web application testing. You're going to learn how to use Gobuster to enumerate a web server for hidden files and folders to aid in the recovery of Elf's forums. Later on, you're going to be introduced to an important technique that is fuzzing, where you will have the opportunity to put theory into practice.
Our malicious, despicable, vile, cruel, contemptuous, evil hacker has defaced Elf's forums and completely removed the login page! However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD.
Useful Reasources
There are 2 rooms listed in the Task that are really good and wortha run through if ou havent already.
Webpage
Tasks
Deploy your AttackBox (the blue "Start AttackBox" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP (MACHINE_IP) into the browser search bar.
Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)
wfuzz -c -z file,big.txt -d "breed=FUZZ" -u http://shibes.xyz/api.php
Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!
Use GoBuster to find the API directory. What file is there?
Using gobuster
and the big.txt
wordlist from Sec Lists
we find [REDACTED]
that is a 301 redirect to [REDACTED]
$ gobuster dir -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u 10.10.178.203 -x php,api,txt,htm,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.178.203
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,api,txt,htm,html
[+] Timeout: 10s
===============================================================
2020/12/04 22:38:57 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htaccess.php (Status: 403)
/.htpasswd (Status: 403)
/.htaccess.api (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.api (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.htm (Status: 403)
/.htpasswd.html (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.htm (Status: 403)
/.htaccess.html (Status: 403)
/LICENSE (Status: 200)
/[REDACTED] (Status: 301)
Progress: 6690 / 20474 (32.68%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/12/04 22:41:57 Finished
===============================================================
Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?
Now we have the API
address we need to find a parameter to FUZZ
using the wordlist . From the below I make the assumption that the parameter is date
However, we may still have access to the API. The sysadmin also told us that the API creates logs using dates with a format of YYYYMMDD.
Using this information we can FUZZ
the API
using wfuzz
as per below.
wfuzz -c -z file,wordlist -d "date=FUZZ" -u http://{IPADDRESS}/[REDACTED]/[REDACTED]
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: [REDACTED]
Total requests: 63
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000000 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 1 W 13 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000002 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000001 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000004 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000003 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000006 200 0 L 0 W 0 Ch [REDACTED]
00000006 200 0 L 0 W 0 Ch "[REDACTED]"
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000006 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000005 200 0 L 0 W 0 Ch [REDACTED]
00000006 200 0 L 0 W 0 Ch [REDACTED]
Total time: 0
Processed Requests: 63
Filtered Requests: 0
Requests/sec.: 0
As we can see from the above there is one results that has a different Chars
count than the others 13 Ch
, using this we can build out our URL
and visit the webpage to get the flag.