Skip to content

AoC3 Day 4: Web App Fuzzing

    If you are new to TryHackMe, I recommend checking out their Tutorial room to see how the platform works and how you can access the target machine(s). I also highly recommend using your own “attack box”, be it a Kali, Parrot, or some other pentesting oriented Linux distro (in the form of a VM), as opposed to the browser based solution TryHackMe provides. I’ve found that the browser based VM is a lot slower, though others seem to have no issues with it. The only thing using your own attack VM entails is connecting it to THM’s network through VPN, but this is incredibly easy as TryHackMe will supply you with your own OpenVPN configuration file and is outlined below.

    Types of Challenges

    The TryHackMe platform has multiple types of challenges, each potentially having its own requirements for accessing and completing it. You can identify the type of challenge by looking at the icon on the right-hand side of the collapsible bar for that particular challenge:

    Challenges using the “server rack” icon include the use of a deployable machine, and are the most common. Pressing the “Start Machine” button will launch a virtual machine that you have two ways of accessing: using THM’s “attack box”, found at the top of your browser window:

    Or, you can instead opt to use your own virtual machine connected to the THM network, which is done (on Linux) by clicking your user icon, “Access”, and then “Download My Configuration File”.

    Clicking “Save File”

    And by running the following command in a terminal (I might suggest you move the download to another folder, such as “Documents”):

    Once you see “Initialization Sequence Completed”, you’ll know you’ve successfully connected to THM’s network. Keep this terminal window open (you can minimize it, however). Return to it and press “Ctrl” + “C” twice once you are ready to disconnect.

    After you’ve chosen between THM’s attack box or your own virtual machine, you’ll need the IP address of the target machine, which is what was deployed earlier with the green “Start Machine” button. That information can be seen in a banner at the top of your browser window, or in more detail at the top of the page:

    In many cases you’ll be copying that IP address into your attack box/VM’s browser’s address bar, but in other cases you might be accessing it through SSH, RDP, etc. You’ll notice that you can add time to it if needed, or terminate it if you finish early – opening up more resources for other THM users.

    Challenges using the “browser” icon will require interaction with a simulated website that can be accessed by pressing the “View Site” seen after expanding the challenge. These challenges will need to be completed from within your browser, and cannot be accessed through a VPN on your own machine due to the fact that they are not true websites.

    Challenges with the “download” icon include files – in many cases packet captures (pcaps) or log files to be parsed through using a specific type of software. Where you would like to do this examining is up to you, but you will not be able to use one of TryHackMe’s machines. For examining something like a .pcap file, you will want to install Wireshark on one of your own computers or VMs.

    Challenges without an icon focus on either reading material and answering questions, or will include a link to a publicly accessible website that doesn’t require connection to THM’s network, and therefore can be completed from any computer you choose.

    TryHackMe; Advent of Cyber 3; Day 4 Walkthrough

    Day 4’s focus is on the fuzzing of web apps, particularly as it is used in an attempt to brute force a login.

    We’ll get started by launching Burp Suite. It is included on the VM they provide and in most standard pentesting-focused Linux distros. It’s also available for download for Windows or macOS here.

    Upon launch, we’ll choose “Temporary project”, as this won’t be an ongoing project that we need to keep tabs on.

    We’ll launch Burp Suite using the Burp defaults

    Go to the “Proxy” tab, and make sure the intercept is disabled for now.

    We could use Burp’s embedded browser for this challenge, but I’ll be setting up Firefox to use “FoxyProxy” and forward requests to Burp Suite, so that I can use the browser I’m familiar with and that has all of my bookmarks. If you would rather use BurpSuite’s embedded browser, skip on ahead to “The Challenge”.

    we first need to install FoxyProxy. For Firefox, you can find the install page here. Click “Add to Firefox”.

    Accept the permissions by clicking “Add”. You will then be asked whether or not you would like FoxyProxy to be run in Private Windows. That’s up to you, but I chose to allow that as well. It can always be changed in the future.

    Next, we’ll open the FoxyProxy “Options” menu by clicking the icon in your browser’s toolbar. You’ll see my Burp configuration is already listed under “Turn Off”, but you won’t see that if this is your first time configuring FoxyProxy. Once on the options page, click “Add”

    Fill out the highlighted fields, but feel free to change the “Title or Description” to whatever you would like.

    We’ll now want to install Burp Suite’s certificate in our browser so as to avoid constant certificate warnings. Visit “” through our browser’s address bar, click “CA Certificate”, “Save File”, and “OK”.

    In Firefox, we can add the certificate by typing “about:preferences#privacy” in our address bar and pressing “Enter”. Scroll to the very bottom and click “View Certificates”, and then “Import”

    Highlight the certificate we downloaded from Burp Suite (it should reside in the form of a .der file), and click “Open”

    Check “Trust this CA to identify websites.” and click “OK”

    The Challenge

    We’ll want to start out by visiting our target machine’s IP in the web browser, type in some dummy credentials (but don’t submit them), re-enable the “Intercept” option in Burp Suite, and then submit the credentials we had typed in. You will see your browser stuck on loading, because Burp Suite has intercepted the HTTP request and is waiting for us to “Forward” or “Drop” the request manually.

    Right-click in the blank space on the HTTP request, and choose “Send to Intruder”

    Click on the “Intruder” tab to the right of “Proxy”. Click “Clear §” on the right-hand side, then double-click the value in “password” (in my case, “test”) and click “Add §”. Change the attack type to “Sniper” using the dropdown selection. Finally, change the “username” attribute to “santa”.

    Since I’m using my own VM, I don’t have the wordlist that is included on THM’s attack box. They have provided a download in the challenge description in anticipation of that problem – so go ahead and download it, either through your VM’s browser, or on your host machine and then drag it to your VM. Here is the link if you don’t want to go searching for theirs.

    Now switch back over to Burp Suite, click the “Payloads” tab under “Intruder”. Click “Load…” and then open your downloaded wordlist.

    Finally, click “Start attack”

    We’ll know when we’ve found the correct password for the account when a response status and/or length varies from the rest. In this case, we can see our response has a status of 302 (redirect) and the length is “2548”, whereas the incorrect passwords prompt a return length of 2573.

    Once the attack has run its course, we’ll deactivate the intercept on the “Proxy” tab of Burp Suite, return to a browser, and login using the correct password.

    And there’s our flag!