Fuzzy [Web]

A fun challenge. This was a good way to learn some different fuzzing tools, as well as their strengths and weaknesses!

wfuzz + common wordlist for 1000 words

Quick little challange, but as people has mentioned, good brush up on wfuzz :slight_smile:

Would be interesting to see a challenge like this that incorporates a WAF element. Ideas ideas. Maybe I can come up with one to share sometime.

any clue how to get find parameters ?? kinda newbie here

Like the name suggests, it’s all about fuzzing.
At one point I thought I was getting trolled because I didn’t find anything and started enumerating… but luckily I checked the forums.

If you are stuck, just try other wordlists. There are no rabbit holes.

If you are looking for files then it is sometimes a good idea to hard-type the file extension. E.g. try all the common ones:
wfuzz […] -u [host]/directory/FUZZ.html
wfuzz […] -u [host]/directory/FUZZ.htm
wfuzz […] -u [host]/directory/FUZZ.php
wfuzz […] -u [host]/directory/FUZZ.asp
… etc.

You don’t need giant wordlists. All of the words are rather common.
Like has been said before, you are looking for directories, files, params, param-values.

Wfuzz is your friend. Learned a lot about the tool with this challenge.

I enjoyed this one a lot and learned something new about wfuzz. When it comes to wordlists → Just use the one you are always using, there is nothing exotic in this challenge. (I used one of the lists that ship with Kali) Feel free to PM me if you need a hint.

I have a big issue with web challenges. Every time if I try to enumerate information about a service/node, the instance is crashing. For example with nmap, gobuster, nikto, …

Also only with 5 threads:

gobuster dir -u http://docker.hackthebox.eu:32079/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -t 5 -x php,txt,html,htm

Update:

Sorry, it was my fault, the problem was on my side. My firewall was blocking the scan.

I could find the directory and file name but when i bruteforce for paramter name it gives me 200 ok for all responses any hints ?

I find the folder and also the file but i’m not able to find the correct parameters & value to pass…

Man, I love challenges like these, that end up basically serving as incredible hands-on tutorials. Really fun for weeknights.
Make sure you have the right parameters and switches set in wfuzz.

Completed. Very good challenge I suggest getting comfortable with either wfuzz or ffuf. Make sure you run large wordlists to fuzz the param, it took me a while

@cfor hope it’s not too late. Anyway, there are other criteria to check the parameter with :wink:

Fun challenge, apart from the last step solved with wfuzz

Finally got the flag. It took me longer than expected and I had to try lots of versatile thinking. Want to say a huge thanks to samsepi0l, since it was his / her post that point me to the right direction in order to finish the challenge. Still another “thank you” goes to all of you, because you made me try over and over, especially when I thought I was in the wrong way.
By the way, some of you mentioned that you solved it only using wfuzz. Could someone PM me and let me know how?

Nice… Going to the next challenge!

I would like to precise for those who struggle with first part of this challenge: the --hc 404 command allows you to display only the interesting part :wink:

Concerning the second part of this challenge, I can try to brute-force parameter and value but what is the result I’m waiting for ? Every request ends up with a 200 answer…

Nice challenge to learn wfuzz. Thanks @Arrexel for noob-friendly challenge. Thanks @TsukiCTF, @deleite and @qmi for much needed hints!

Have had some hard time trying to find out how to make parameter return a valid one, lol. Learned a new thing with it!
If anyone needs help, feel free to pm.

It is a nice challenge to get introduced to wfuzz (or any other fuzzing tool you prefer).
Using the right wordlist is of course required, but the first one I used was sufficient for the entire challenge (it came build-in with Kali).

If you’re stuck, feel free to reach out.