API Fuzzing — Web Fuzzing Module — HTB Walkthrough

TIER 0 MODULE: WEB FUZZING

SECTION: API Fuzzing

Please open your pwnbox or connect to the vpn in order to complete the tasks.

If you are not registered in HTB Academy, then use this link to register now: https://referral.hackthebox.com/mzxKOJt

1. What is the value returned by the endpoint that the api fuzzer has identified?

The solution is super simple, all you need to do is to follow the instruction on the HTB academy page. Here I’ll guide you.

First, open your terminal and clone this directory from GitHub.

git clone https://github.com/PandaSt0rm/webfuzz_api.git

Navigate to that directory:

cd webfuzz_api

Install the requirements from the .txt file.

pip3 install -r requirements.txt

You may see an error after running this command, get rid of it using apt.

If any error occurs, use this commmand:

sudo apt install python3-requests python3-colorama

The setup of the tool is complete, now start running it:

python3 api_fuzzer.py <target-ip>:<port> | grep -v 404

We used the grep -v, because the result would display a lot of 404 errors, so we filtered them out.

After some time, the directory found by the fuzzer is, “http://<target-ip>:<port>/czcmdcvt” and if we visit that address, we will find the flag.

Answer: h1dd3n_r357

Still stuck? watch video!

☣️ HAPPY ETHICAL HACKING ☣️

DISCLAIMER: THIS CONTENT DOES NOT BELONG TO ME, I AM JUST WRITING A WALK-THROUGH OF A FREE MODULE OF HACK THE BOX ACADEMY. (WRITING WALKTHROUGHS OF FREE MODULES IS PERMITTED BY HTB ACADEMY)

The Malware Mender Walkthroughs