Hack The Box / Challenges / Web / Fuzzy

From the looks of the page it seems that there is some unfinished code running in the back of the site. Since there are no action forms available, no entry points, I decided to use some directory discovery tools.

After some gobuster and meg runs. I was able to find the following interesting endpoint:

/api/action.php

Now, this gives simply:

Error: Parameter not set!

So it seems it is expecting some parameters to be passed. This looks really like a black-box discovery type of challenge.. with lots of brute-forcing. First time for me.

Well, this is a bit new to me, parameter name fuzzing. So I need to find a dictionary that has more or less that, a list of parameter names. To search it I think the method employed in a previous challenge seems to be good. Basically I search for known (the ones that came to my mind first) possible parameter names in SecLists.

So I searched for "action" and found that it was present in raft-small-words.txt file. So I decided to use it as Intruder dictionary. Doing that we can get another interesting finding:

/api/action.php?reset=xxx

This gives:

Error: Account ID not found

Now we can think that it might be doing some backend DB queries.. why not trow this to sqlmap just for a quick test?

...
[16:55:15] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[16:55:16] [WARNING] GET parameter 'reset' does not seem to be injectable
[16:55:16] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'

Unfortunatelly it doesn't seem to be the right way. I switched to burp and thought on making some id sequence in order to try find something.

First trial I was using:

/api/action.php?reset=x&id=x&account=x

With x ranging from 1 to 10. Nothing found. Then I decided to increase ... to 5000.

At 20 I got a different response length (273 bytes) with:

You successfully reset your password! Please use HTB{h0t_fuzz3r} to login.

Great:)

jemos / Nov, 30 2019