TryHackMe Advent of Cyber 2, day 4, Write up.
Another challenge in TryHackMe’s Advent of Cyber 2!
Today was another fun day, and I learned quite a bit.
Today started out with the continuing story driving the challenges, then jumped into the required knowledge for the actual CTF portion.
First, they taught us about Fuzzing. What it is, why its used, and how to use it to our advantage.
They then jumped right into a short introduction on how to use a tool called: Gobuster.
I am still pretty new to this, so I knew nothing about this tool to begin with. They did a good job in explaining how to use it, the proper syntax, and some of the more common options available to make it do what you want it to.
Next, they taught us about our next tool: Wfuzz.
Wfuzz was yet another tool I knew nothing about, but it seemed pretty straightforward. Thankfully they broke down the common usage, proper syntax, and what each section of the command did.
Overall, the instructions for using these tools were clear, concise, and to the point. They provided just enough information to get started but did not overwhelm “newbies” like me with too many details.
So today we had to use these tools they just taught us about on the elves website, which had just been defaced, and interact with the API and somehow get the sites logs to return the website to a usable form.
The first question was just a click here after I read the instructions. Done.
The second question was a bit more difficult. It asked us to create a wfuzz command which would query the “breed” parameter in the example site the provided. After some trial and error, I was able to come up with: wfuzz -c -z file,big.txt -d “breed=FUZZ” -u http://shibes.xyz/api.php
This turned out to be the correct answer!
The next question asked us to use the Gobuster tool on the target box provided by TryHackMe, to find the api directory. After some trial and error, I was able to get my syntax correct for the tool, and found the API directory. There was a file located in that directory named: site-log.php
I typed this into the submission field, and it was correct.
The last question asked me to fuzz the “date” parameter on the file, and then submit the correct flag. I wont lie, this part was tough for me. I was able to get the wfuzz tool to fuzz the file after A LOT of trial and error with the syntax. I saw the results in my terminal, staring back at me, and I again had no idea what to do next.
Unfortunately, this has been an ongoing theme for me. I follow the instructions, get the correct output, then don’t have a clue what to do with it next…
I had a list of output in front of me, but I wasn’t sure what I was looking at. I took my lesson from the last challenge and found the one that looked different than the rest. This one had the “20201125” date, and the file size was bigger than the rest. I figured that this had to be the correct date, but I did not know how to somehow take that information and do something with the site-log.php file…
I messed around with it for a good 30 minutes or so, without any luck. I broke down and clicked on the “hint” button by the submit button. It said “use wfuzz, the advent of cyber wordlist given in this task and website with the file you found: http://<ip>/api/<file>?date=FUZZ”.
There were no bells or whistles, I still didn’t understand what they meant. I was getting frustrated with myself, I was like “Seriously, you can’t get past day 4?!?”…
I took a break for a few minutes, got up and did some laundry, then came back. I figured with some time away from the computer screen, maybe having fresh eyes would help.
I kept looking at the hint provided, wondering what I was missing. After a moment, it dawned on me!
If I typed in the url for the API directory, put the file name at the end, put the “?”, and then date=20201125, it just might work!
http://10.10.2.93/api/site-log.php?date=20201125
Success!
Flag found: THM{D4t3_AP1}
Not going to lie TryHackMe, you almost stumped me tonight. I enjoyed the challenge, I learned a few more things, and I look forward to the next one!
