Fuzzy [Web]

@n3m0 said:

I just found the right parameter but is there more than one by any chance?

nv got the flag…guess its just that one parameter : )

Still stuck trying to fuzz the param, any tips?

@GibParadox saved me from myself

just completed, had a lot of funzz! thx for the challenge @Arrexel !
if anyone feel stuck and need a little nudge PM me

A good challenge, thanks to @prdcsm for hint and thnx to @Arrexel for making it.

Jeeze, def do not overthink the fuzz wordlist. Don’t be me with a 10 million line count wordlist. KISS

Challenge complete.
Simple challenge yet still taught me a thing or two. Thanks @Arrexel.

You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

it is necessary in this challenge not to fuzz unnecessary

Type your comment> @will135 said:

wfuzz with a big wordlist. Remember to try different extensions too!

I have been trying the wordlists in SecLists couldn’t find anything! point me to something…
:confused:

wfuzz with a big wordlist.
I have been trying the wordlists in SecLists couldn’t find anything! point me to something…

In my experiments I used Kali built-in wordlist and all fuzzed well.
The sense is to choose correct point for Fuzzy.

Solvable only with wfuzz.
Make sure to try different extensions, and know the standard way of passing a parameter and its value to a web application.
:slight_smile:

@TsukiCTF : I solved this challenge with Burp Pro :wink:

recalled bruteforcing good challenge

Flag captured! Learned ■■■■-ton from this challenge! Thanks, @tabacci @GibParadox for your kind assistance. Let’s move on. #TRYHARDER

Type your comment> @deleite said:

You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

Actually this is wrong. For sake of correctness, you will need to fuzz:

  1. A directory
  2. A filename
  3. A correct extension
  4. A parameter name
  5. A parameter value
    In the end, you will come up with an HTTP GET request , for which you will get the flag. However, given the low score you will get and the high difficulty of figuring out different wordlists which one to select for correct fuzzing, I give this challenge a THUMBS DOWN. :neutral:

Type your comment> @qmi said:

Type your comment> @deleite said:

You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

Actually this is wrong. For sake of correctness, you will need to fuzz:

  1. A directory
  2. A filename
  3. A correct extension
  4. A parameter name
  5. A parameter value
    In the end, you will come up with an HTTP GET request , for which you will get the flag. However, given the low score you will get and the high difficulty of figuring out different wordlists which one to select for correct fuzzing, I give this challenge a THUMBS DOWN. :neutral:

You should know the difference between wrong and/nor different/incomplete.

First 3 steps you point, are easy with any content discovery tool.

Spoiler Removed

Spoiler Removed

Well, I did solve it using gobuster and wfuzz. Although this is a great way to learn these tools (especially to see that it can all be done by one tool), I didn’t really lie the guessing of which wordlist(s) to use.

@Qftm please do not post writeups of these challenges…