Fuzzy [Web]

2

Comments

  • wfuzz with a big wordlist.

    I have been trying the wordlists in SecLists couldn't find anything! point me to something..

    In my experiments I used Kali built-in wordlist and all fuzzed well.
    The sense is to choose correct point for Fuzzy.

    tabacci

  • Solvable only with wfuzz.
    Make sure to try different extensions, and know the standard way of passing a parameter and its value to a web application.
    :)

  • @TsukiCTF : I solved this challenge with Burp Pro :wink:

    Ozunu

  • recalled bruteforcing good challenge

  • Flag captured! Learned shit-ton from this challenge! Thanks, @tabacci @GibParadox for your kind assistance. Let's move on. #TRYHARDER

  • Type your comment> @deleite said:

    You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

    Actually this is wrong. For sake of correctness, you will need to fuzz:
    1. A directory
    2. A filename
    3. A correct extension
    4. A parameter name
    5. A parameter value
    In the end, you will come up with an HTTP GET request , for which you will get the flag. However, given the low score you will get and the high difficulty of figuring out different wordlists which one to select for correct fuzzing, I give this challenge a THUMBS DOWN. :neutral:

    Regards,
    qmi

  • Type your comment> @qmi said:

    Type your comment> @deleite said:

    You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

    Actually this is wrong. For sake of correctness, you will need to fuzz:
    1. A directory
    2. A filename
    3. A correct extension
    4. A parameter name
    5. A parameter value
    In the end, you will come up with an HTTP GET request , for which you will get the flag. However, given the low score you will get and the high difficulty of figuring out different wordlists which one to select for correct fuzzing, I give this challenge a THUMBS DOWN. :neutral:

    You should know the difference between wrong and/nor different/incomplete.

    First 3 steps you point, are easy with any content discovery tool.

    Deleite

  • Spoiler Removed

  • edited August 2019

    Well, I did solve it using gobuster and wfuzz. Although this is a great way to learn these tools (especially to see that it can all be done by one tool), I didn't really lie the guessing of which wordlist(s) to use.

    @Qftm please do not post writeups of these challenges....

  • Solved it with w***z. It can be tricky to get the final details, so do not hesitate to contact me for hints.

  • Hi guys, I do not know about you, but in my case the instance gets unresponsive after fuzzing it with dozens of values and 5 threads. I guess there may be some banning involved. Just curious.

    Sociaslkas

  • Burp Pro FTW xD

    Respect if i helped you ;)

  • So as a nooob. Everyone seems to point to fuzzing the elements to the end, however is the first part of this directory traversal? trying to better comprehend terms.

  • finding the endpoint is easy. but looking for the correct parameter and value is not easy.

    Not Really a Spoiler
    you can check my github repository and observe the tool I used for finding the endpoint.

    Hack The Box

  • lots of tools to do this i simply used D*******r ... no issue with wordlist

  • Pwned, the most difficult is instance stop while enum

    image

  • A fun challenge. This was a good way to learn some different fuzzing tools, as well as their strengths and weaknesses!

  • wfuzz + common wordlist for 1000 words

  • edited November 2019

    Quick little challange, but as people has mentioned, good brush up on wfuzz :)

    -All hail the Potato-

  • Would be interesting to see a challenge like this that incorporates a WAF element. Ideas ideas. Maybe I can come up with one to share sometime.

  • any clue how to get find parameters ?? kinda newbie here

  • Like the name suggests, it's all about fuzzing.
    At one point I thought I was getting trolled because I didn't find anything and started enumerating... but luckily I checked the forums.

    If you are stuck, just try other wordlists. There are no rabbit holes.

    If you are looking for files then it is sometimes a good idea to hard-type the file extension. E.g. try all the common ones:
    wfuzz [...] -u [host]/directory/FUZZ.html
    wfuzz [...] -u [host]/directory/FUZZ.htm
    wfuzz [...] -u [host]/directory/FUZZ.php
    wfuzz [...] -u [host]/directory/FUZZ.asp
    ... etc.

    You don't need giant wordlists. All of the words are rather common.
    Like has been said before, you are looking for directories, files, params, param-values.

  • Wfuzz is your friend. Learned a lot about the tool with this challenge.

  • I enjoyed this one a lot and learned something new about wfuzz. When it comes to wordlists -> Just use the one you are always using, there is nothing exotic in this challenge. (I used one of the lists that ship with Kali) Feel free to PM me if you need a hint.

    Countably

    I am always happy to help, but you please put some effort into your questions. I won't reply to "I am stuck on machine XXX" messages.

  • edited March 5

    I have a big issue with web challenges. Every time if I try to enumerate information about a service/node, the instance is crashing. For example with nmap, gobuster, nikto, ...

    Also only with 5 threads:

    gobuster dir -u http://docker.hackthebox.eu:32079/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 5 -x php,txt,html,htm
    

    Update:

    Sorry, it was my fault, the problem was on my side. My firewall was blocking the scan.

  • I could find the directory and file name but when i bruteforce for paramter name it gives me 200 ok for all responses any hints ?

  • I find the folder and also the file but i'm not able to find the correct parameters & value to pass...

  • Man, I love challenges like these, that end up basically serving as incredible hands-on tutorials. Really fun for weeknights.
    Make sure you have the right parameters and switches set in wfuzz.

  • Completed. Very good challenge I suggest getting comfortable with either wfuzz or ffuf. Make sure you run large wordlists to fuzz the param, it took me a while

    GotRoot
    If I helped you out at all, feel free to click my badge and give +1 respect!

Sign In to comment.