Fuzzy [Web]

A good challenge, thanks to @prdcsm for hint and thnx to @Arrexel for making it.

Jeeze, def do not overthink the fuzz wordlist. Don’t be me with a 10 million line count wordlist. KISS

Challenge complete.
Simple challenge yet still taught me a thing or two. Thanks @Arrexel.

You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

it is necessary in this challenge not to fuzz unnecessary

Type your comment> @will135 said:

wfuzz with a big wordlist. Remember to try different extensions too!

I have been trying the wordlists in SecLists couldn’t find anything! point me to something…
:confused:

wfuzz with a big wordlist.
I have been trying the wordlists in SecLists couldn’t find anything! point me to something…

In my experiments I used Kali built-in wordlist and all fuzzed well.
The sense is to choose correct point for Fuzzy.

Solvable only with wfuzz.
Make sure to try different extensions, and know the standard way of passing a parameter and its value to a web application.
:slight_smile:

@TsukiCTF : I solved this challenge with Burp Pro :wink:

recalled bruteforcing good challenge

Flag captured! Learned ■■■■-ton from this challenge! Thanks, @tabacci @GibParadox for your kind assistance. Let’s move on. #TRYHARDER

Type your comment> @deleite said:

You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

Actually this is wrong. For sake of correctness, you will need to fuzz:

  1. A directory
  2. A filename
  3. A correct extension
  4. A parameter name
  5. A parameter value
    In the end, you will come up with an HTTP GET request , for which you will get the flag. However, given the low score you will get and the high difficulty of figuring out different wordlists which one to select for correct fuzzing, I give this challenge a THUMBS DOWN. :neutral:

Type your comment> @qmi said:

Type your comment> @deleite said:

You can do the entire problem with wFuzz. You need to fuzz for a parameter and then for a value.

Actually this is wrong. For sake of correctness, you will need to fuzz:

  1. A directory
  2. A filename
  3. A correct extension
  4. A parameter name
  5. A parameter value
    In the end, you will come up with an HTTP GET request , for which you will get the flag. However, given the low score you will get and the high difficulty of figuring out different wordlists which one to select for correct fuzzing, I give this challenge a THUMBS DOWN. :neutral:

You should know the difference between wrong and/nor different/incomplete.

First 3 steps you point, are easy with any content discovery tool.

Spoiler Removed

Spoiler Removed

Well, I did solve it using gobuster and wfuzz. Although this is a great way to learn these tools (especially to see that it can all be done by one tool), I didn’t really lie the guessing of which wordlist(s) to use.

@Qftm please do not post writeups of these challenges…

Solved it with w***z. It can be tricky to get the final details, so do not hesitate to contact me for hints.

Hi guys, I do not know about you, but in my case the instance gets unresponsive after fuzzing it with dozens of values and 5 threads. I guess there may be some banning involved. Just curious.

Burp Pro FTW xD

So as a nooob. Everyone seems to point to fuzzing the elements to the end, however is the first part of this directory traversal? trying to better comprehend terms.