Fuzzy challenged the user on the basics of fuzzing and taught me how to use wfuzz and other techniques to learn information about my target machine. I suggest anyone who would like to learn about fuzzing take on this challenge.
First thing I am going to try and do is navigate to
robots.txt, but it looks like it is not there. Next we are going to run
gobuster to figure out if there are any other server urls that we can navigate to and exploit. Dirbuster found a directory called
Next we are going to do another scan in the api directory using the command
gobuster dir -u http://docker.hackthebox.eu:31883/api -w /usr/share/wordlists/dirb/common.txt -x .php,.html,.htm,.js. I used the
-x argument so specify the extensions I wanted to search for. You can see the results in
dirb_file_out.txt. We found the file
action.php and when we try to visit it in the browser it says that there needs to be a parameter.
To find the hidden parameter we can use
wfuzz to fuzz the parameter name and find out what the request returns. Let’s run the command
wfuzz -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:31883/api/action.php?FUZZ=test to start fuzzing the parameter names. Most of our responses are returning 4 words. If we user
grep -v we can filter out all the responses that contain 4 words and maybe find the parameter name that returns something else. Run the command
cat paramfinder_out.txt | grep -v "4 W" and we see that
reset returns something with 5 words. Let’s navigate to the web browser and see what is being returned. If you take a look at the web browser it seems that we are entering the wrong account ID. Well that is something. It looks like we found the parameter for this
action.php file. Now to find our user.
In order to find the user we are going to use another
wfuzz scan. Who would have thought that a challenge named “fuzzy” would require this much fuzzing. We can fuzz the user ID by using the
range argument for
wfuzz. You can read about it here. Let’s use the command
wfuzz -z range,0-100 http://docker.hackthebox.eu:31883/api/action.php?reset=FUZZ > digitfuzz.txt. These results can be found in
digitfuzz.txt. Again we notice that most of the parameter values return 5 words so let’s try an
grep -v again to filter out all the 5 word returns. Using the command
cat digitfuzz.txt | grep -v "5 W" returns to us the user ID of the user who’s reset was successful. Now if we go to the web browser and navigate to
[ID] with the ID that was found by our
wfuzz scan you should be able to see the flag.