Today I am going to do the day 4 and day 5 challenges together

Day 4

Given the URL “http://shibes.xyz/api.php", what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

this is how you have to use wfuzz commands

Fuzz parameters

answer is wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ

Use GoBuster (against the target you deployed — not the shibes.xyz domain) to find the API directory. What file is there?

in the question they mentioned that we need to find an DIR call API so to find it in here I used a tool call Gobuster its used to find out in a web application by brute forcing the application

command for it is gobuster dir -u <URL> -w <wordlist_path> -x <file_type>

now you can see there is a php file in api DIR so answer is site-log.php

Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

now they are telling us to brute force the file to find out the post. in the hint they mention something about date variable so that's what we gonna brute force

this is the command for that wfuzz -c -z file, <wordlist_path> -u <URL>date=FUZZ this fuzz is the value of date variable at chars you can see 13 in 20201125 which mean 13characters are in that post

this is the flag.

Day 5

Without using directory brute forcing, what’s Santa’s secret login panel?

when you go to the hint you can see text like this /s**tap***l this challenge is about Santa so and in the question the talk about a panel so we get those to right
the answer in /Santapanel

so this is how dose it look like to get in we need to do a SQL injection to login page

so the SQL injection command is santa’ or 1=1- -
and press login you will be able to login to the santa panel

this is how does to look like now I am going to enumerate this data base using SQL map to find out all the other answers

now I am gonna switch on my burp proxy and try to capture the request and through that request I am going use SQL map

How many entries are there in the gift database?

you can see there are 22 gits in the database

What did Paul ask for?

GitHub Ownership

if you scroll further down you can see there are 2 table

What is the flag?

in the above database you can see a database call flag
flag is thmfox{All_I_Want_for_Christmas_Is_You}

What is admin’s password?

EhCNSWzzFP6sc7gB

see you in another blog….!!!

SLIIT cyber security undergraduate