Day 04 - Santa's Watching
Date: 04, December, 2020
Author: Dhilip Sanjay S
Learning Objectives
Fuzzing (fancy bruteforcing). Wordlists can be context sensitive.
Solutions
Given the URL "http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the "breed" parameter using the wordlist "big.txt" (assume that "big.txt" is in your current directory)
Answer:
Use GoBuster to find the API directory. What file is there?
Answer: site-log.php
Steps to reproduce:
Run Go buster and save the output in a file for later reference.
Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?
Answer: THM{D4t3_AP1}
Steps to reproduce:
The output of the correct date will have a different size of output character/word.
You can also use
grep
to filter it out.
One-liner:
P.S: Just learning how to craft one liners!
Last updated