A photograph of the author, Alex Kharouk

Alex Kharouk

Advent of Cyber's Prequel: Day 4.

## A Hacker's Defacement is Day 4's Treatment!

Some nasty people have decided to hack the elves' forums and remove the login page! How will the elves complain and share rude remarks about their bosses now? Luckily, we're on the job, and we still have access to the forum's API (Application Programming Interface).

The way we're going to handle this challenge is via fuzzing, a technique that is similar to brute-force, but it goes a bit beyond, allowing us to fuzz what we can't brute-force. Fuzzing allows us to use the right tools to, "automate the input of data we provide into things like websites or software applications."

When we're too lazy to search for all possible endpoints, for different usernames and passwords (like we've done with BurpSuite in yesterday's challenge), we can fuzz our way to a flag! On top of using an automated system to break in, some applications are so poorly built that they are unable to handle the intense load. Therefore, fuzzing can also be used in a way that forces, or triggers, error conditions that could cause the target to slow down, or even shut down.

### Discovering secrets

Like in the previous challenge, we can use gobuster as a tool that could help us discover secretive gold. The tool automates and searches for common paths and checks if it's valid. Gobuster has three popular tools: dir, vhost, and dns.1 We will use dir, as it checks the potential directories of a website. We combine gobuster with a wordlist, and if you're on Kali, you're in luck. We have tons of wordlists already that we can point to. From common lists to vendor-specific lists (if we know the vendor). You can find the wordlists in /usr/share/wordlists, and we can use flags like -u for the URL, -w for the word or wordlist we want to use, and -x to specify filetypes like .php, .html.

We can also use the wfuzz tool, which can help get a bit more information about the data a web application could return. Whether that's a file (or within a file), a response code, or parameters in a form (like with BurpSuite).

If we wanted to see pen-test a note-taking application, maybe we'd check to see if we can see other user's notes. With wfuzz, we can run wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt localhost:3000/FUZZ/note.txt. We could then see what responses we get at http://localhost:3000/admin/note.txt or http://localhost:3000/system/note.txt. This is quite powerful as we can test any parameter in the URL.

With wfuzz, we have a few options we can toggle when fuzzing. -c is to show output in color. -d is the specify the parametes you want to fuzz, like the form inputs on an HTML document. -z is to specify the wordlist or word that will replace the FUZZ placeholder. An example is -z file,common.txt, which will replace the FUZZ with a word from a file, in this case a common.txt wordlist. --hc filters HTTP Resposne codes, like don't show 404.--hl filters certain amount of lines. --hh filters out by character length.

Now, the challenge. We know we need to search for an API endoint, where we can hopefully find some interesting files or posts on the forum. We also know there's some interest in some logs, where we can use a timestamp in the form of YYYYMMDD.

## Initiate hack

Visiting the challenge's url, we are greeted with this horrid page.

adventCyber/hohoHacked.png

Now we can scan the directories for anthing API related. Running gobuster dir -u <website> -w dirb/big.txt reveals the quite obvious endpoint of /api. Within the directory, I see a site-log.php file2. So now I can use wfuzz to fuzz the site-log.php file and see if there's anything interesting on a particular day.

wfuzz -c -z file,wordlist -u 10.10.78.101/api/site-log.php?date=FUZZ --hh 0. Now whatever is in the wordlist will replace FUZZ in ?date=FUZZ. --hh 0 filters out anything that returns 0 characters. Running the command, I notice that the only parameter that returned something with a length is 20201125, which is one month before Christmas! I check out the page, and boom. Another key!

### Recap

That was an exciting way to demonstrate fuzzing, something we can easily set up in our console so that we don't need to use BurpSuite to check for things like query parameters. It goes to show that the reason this is important is because its the fundamentals. Quick wins if anything pops up on the radar, and usually it probably won't. Modern websites usually help prevent things like exposing sensitive data somewhere on the site. But the majority of the web is not modern, and sometimes, we may forget what secrets we've accidentally published... Until tomorrow!


  1. vhost is for brute-forcing virtual hosts; Virtual hosting is a method that allows us to host multiple domain names on a single server. dns is for brute-forcing DNS subdomains. More here
  2. site-log.php is the file that contains the logs on a given day.