INTRO
Hello readers, I am back with new HTB Web Challenge named Fuzzy. It was not that easy as the previous one. But for this challenge, we won’t need to make any Python or Bash script. we have all such tools in our beloved Kali Linux which can help us to solve this challenge. we will use Wfuzz and Dirb basically.
You can also use Dirbuster or Gobuster if you want to. It is all your Choice But I have described Dirb and Dirbuster on our site. before going further, I would like to suggest some of my old articles upon those tools that we are going to use for this challenge:
Find Hidden Dirs in a Webserver
Both of these posts are very useful and worth reading. I would insist you to visit these link once if you have no idea about Wfuzz and Dirb or Dirbuster. it can be so useful to understand this article we are going to start.
ATTACK
First, we will take a look at the webpage.
Screenshot:
There are some links and a search input field. we can use inspect elements to see if we can enable the Disabled buttons on the webpage. But there is no action for this bottom or for any of them.
Screenshot:
It means that we will find some hidden directories on the server. to find some hidden dirs in the web server, we will use Dirb tool which comes pre-installed in Kali Linux. and I want to tell you one more thing that Ubuntu-based Linux OS doesn’t have Dirb or Dirbuster. if you want to find hidden directories in a webserver with the use of Ubuntu-based Linux OS then you will have to use python scripts from GitHub.
It can be more complicated sometimes. so, I would recommend you to use the Debian for hacking.
To find hidden Dirs on the server, type this command:
syntax: dirb http://<IP><PORT> Example: dirb http://docker.hackthebox.eu:32292\
Output/Screenshot:
as you can see that we have api directory on the server.
now, if you try to open it with browser, you will find that it is completely blank. I think that the server is configured that way so no-one may allow seeing any directories on the server. You can just visit /js to confirm it.
It means that we need to find some files in the api directory. you can use Dirb tool for that but here, I am going to use the Wfuzz tool. however, you will find the file in normal Dirb result.
Type this command and don’t forget to change the IP and port:
wfuzz -c -w /usr/share/dirb/wordlists/common.txt -u http://docker.hackthebox.eu:30365/api/FUZZ --sc 200
The output will give you /api/action.php. But if we visit this page, it says:
“Error: Parameter not set”
It means we will need to give it a parameter in URL to use action.php. for finding the right parameters, we were going to use Wfuzz tool again.
You can use this command if you have such good internet speed and a lot of time:
wfuzz -c -w /usr/share/dirb/wordlists/big.txt -w /usr/share/dirb/wordlists/cbig.txt -u http://docker.hackthebox.eu:30365/api/action.php?FUZZ=FUZ2Z --hh 24
But I didn’t use this. cause it can take too much time. so we will assume that we know the value of the second FUZZ. for example, I can replace second FUZZ with the “item”. and then, we will need to remove the second wordlist.
So the command would be:
wfuzz -c -w /usr/share/dirb/wordlists/big.txt -u http://docker.hackthebox.eu:30365/api/action.php?FUZZ=item --hh 24
--hh key stands for the chars in the webpage that suppose not to be shown. as you can see that we have assigned 24 as the value of --hh. then it will only show you the output which doesn’t have 24 chars. because if you don’t do it then it will show a lot of output with 200 response code and would be unnecessary.
you will see that there is a valid parameter reset. now, if we visit the page, it asks for a valid account ID. because we guessed it before as “item”. so now we have to replace “item” with FUZZ.
Screenshot:
And that’s it. you will get the Flag with the account ID 20. and obviously, I am not going to show you the Flag.
Stay home, stay safe and keep reading our articles.
Thanks For Visiting
