DAY 4

’’’’ /api -via gobuster site-log.php -via /api

wfuzz -c -z file, -u http:///api/site-log.php?date=FUZZ got 20201125

flag in http:///api/sitelog.php?date=FUZZ ''''

Task

• No answer

• Given the URL “http://shibes.xyz/api.php”, what would the entire wfuzz command look like to query the “breed” parameter using the wordlist “big.txt” (assume that “big.txt” is in your current directory)

  wfuzz -c -z file,big.txt http://shibes.xyz/api.php?breed=FUZZ
  

• Use GoBuster (against the target you deployed – not the shibes.xyz domain) to find the API directory. What file is there?

  site-log.php      -via gobuster found /api
  

• Fuzz the date parameter on the file you found in the API directory. What is the flag displayed in the correct post?

  [redacted challenge flag]