@n3m0 said:
I just found the right parameter but is there more than one by any chance?
nv got the flag…guess its just that one parameter : )
@n3m0 said:
I just found the right parameter but is there more than one by any chance?
nv got the flag…guess its just that one parameter : )
Still stuck trying to fuzz the param, any tips?
just completed, had a lot of funzz! thx for the challenge @Arrexel !
if anyone feel stuck and need a little nudge PM me
Jeeze, def do not overthink the fuzz wordlist. Don’t be me with a 10 million line count wordlist. KISS
You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.
it is necessary in this challenge not to fuzz unnecessary
Type your comment> @will135 said:
wfuzz with a big wordlist. Remember to try different extensions too!
I have been trying the wordlists in SecLists couldn’t find anything! point me to something…
wfuzz with a big wordlist.
I have been trying the wordlists in SecLists couldn’t find anything! point me to something…
In my experiments I used Kali built-in wordlist and all fuzzed well.
The sense is to choose correct point for Fuzzy.
Solvable only with wfuzz.
Make sure to try different extensions, and know the standard way of passing a parameter and its value to a web application.
recalled bruteforcing good challenge
Flag captured! Learned ■■■■-ton from this challenge! Thanks, @tabacci @GibParadox for your kind assistance. Let’s move on. #TRYHARDER
Type your comment> @deleite said:
You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.
Actually this is wrong. For sake of correctness, you will need to fuzz:
Type your comment> @qmi said:
Type your comment> @deleite said:
You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.
Actually this is wrong. For sake of correctness, you will need to fuzz:
- A directory
- A filename
- A correct extension
- A parameter name
- A parameter value
In the end, you will come up with an HTTP GET request , for which you will get the flag. However, given the low score you will get and the high difficulty of figuring out different wordlists which one to select for correct fuzzing, I give this challenge a THUMBS DOWN. :neutral:
You should know the difference between wrong and/nor different/incomplete.
First 3 steps you point, are easy with any content discovery tool.
Spoiler Removed
Spoiler Removed
Well, I did solve it using gobuster and wfuzz. Although this is a great way to learn these tools (especially to see that it can all be done by one tool), I didn’t really lie the guessing of which wordlist(s) to use.
@Qftm please do not post writeups of these challenges…