[Day 4] Santa's Running Behind
{Web Exploitation = Fuzzing}
Challenge
Accessing the site reveals a login form as shown below.
The following was the password list provided to us.
First, capture a dummy login request on burp and send it to the intruder
Mark the payload positions as shown below.
Paste the given wordlist under payload set 1 and start the attack.
After the attack has been completed. It's obvious that one request has a longer response and a status code of 302
AKA redirect.
Trying to login with santa:cookie
succeeds and we are able to see Santa's Itinerary.
What valid password can you use to access the "santa" account?
cookie
What is the flag in Santa's itinerary?
THM{SANTA_*******}
Last updated