Skip to content

xXPyHack3dXx/htb-fuzzy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 

Repository files navigation

Fuzzy

Solution to Hack The Box Challenge - Fuzzy

Problem

It's a web that exposes you a login form and you must discover the username and password to gain access.

Solution

Brute-Force Attack using WFuzz and DirBuster.
DirBuster - file/folder automated discovery
WFuzz - web automated discovery

Told to DirBuster to find valid paths (files/folder) on http://www.docker.hackthebox.eu:31887

DirBuster catched /api/ directory and /api/action.php file. That return "Error: Parameter not set". Told to WFuzz to search valid parameters. hh is the length of characters in source code.

wfuzz --hh=24 -c  -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:31887/api/action.php?FUZZ=test

DirBuster detected that the parameter "reset" changes the lenght of the source code. The message returned said "Error: Account ID not found". So "reset" is the parameter. Now must search the value so

wfuzz --hh=27 -c -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:31887/api/action.php?reset=FUZZ

About

Solution to Hack The Box Challenge - Fuzzy

Topics

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published