Today I am going to do the day 4 and day 5 challenges together

Day 4

this challenges is all about a tool call WFUZZ
this tool is used to brute force attacks on web application. A payload in Wfuzz is a data source. This simple concept enables any input to be inserted into any HTTP request area, enabling complex network security attacks to be conducted on various components of the web application, such as: parameters, authentication, forms, directories/files, headers, etc.

Given the URL “", what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

Note: For legal reasons, do not actually run this command as the site in question has not consented to being fuzzed!

this is how you have to use wfuzz commands

Fuzz parameters

answer is wfuzz -c -z file,big.txt

Use GoBuster (against the target you deployed — not the domain) to find the API directory. What file is there?

in the question they mentioned that we need to find an DIR call API so to find it in here I used a tool call Gobuster its used to find out in a web application by brute forcing the application

command for it is gobuster dir -u <URL> -w <wordlist_path> -x <file_type>

now you can see there is a php file in api DIR so answer is site-log.php

Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

now they are telling us to brute force the file to find out the post. in the hint they mention something about date variable so that's what we gonna brute force

this is the command for that wfuzz -c -z file, <wordlist_path> -u <URL>date=FUZZ this fuzz is the value of date variable at chars you can see 13 in 20201125 which mean 13characters are in that post

this is the flag.

Day 5

This challenge is all about SQL injection in here we are going to learn about how to use SQL map it is a automated tool to do sql injection.

Without using directory brute forcing, what’s Santa’s secret login panel?

when you go to the hint you can see text like this /s**tap***l this challenge is about Santa so and in the question the talk about a panel so we get those to right
the answer in /Santapanel

so this is how dose it look like to get in we need to do a SQL injection to login page

so the SQL injection command is santa’ or 1=1- -
and press login you will be able to login to the santa panel

this is how does to look like now I am going to enumerate this data base using SQL map to find out all the other answers

now I am gonna switch on my burp proxy and try to capture the request and through that request I am going use SQL map

How many entries are there in the gift database?

you can see there are 22 gits in the database

What did Paul ask for?

GitHub Ownership

if you scroll further down you can see there are 2 table

What is the flag?

in the above database you can see a database call flag
flag is thmfox{All_I_Want_for_Christmas_Is_You}

What is admin’s password?


see you in another blog….!!!




Associate security Engineer At Hsenid mobile

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Be careful, M365 Changes

How to Send an SMS With Blazor

Are your employees Slack Messages leaking while their screen is locked?

Async Python : it’s easy to do it wrong

Intento Spotlight launch, connectors for Wordbee and Wordfast, new Chrome Extension release, and…

Deeper Look into CLI PROJECT

HITCON 2017 : Ghost in The Heap Writeup

Media Queries in Modern Web Development

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
mohomed arfath

mohomed arfath

Associate security Engineer At Hsenid mobile

More from Medium

My eCPPTv2 Experience

CEH-PRACTICAL Exam writeup

Intro to Cyber Security.

How to pass CEH Exam in the First Attempt / Exam Review