[Day 4] Santa's Running Behind

{Web Exploitation = Fuzzing}

Challenge

Accessing the site reveals a login form as shown below.

The following was the password list provided to us.

christmas
elves!
santa
festive
joy123
myrrh!
yuletide
presents
candy
tidings
cookie
cookies
biscuits!
snowball
snowball123

First, capture a dummy login request on burp and send it to the intruder

Mark the payload positions as shown below.

Paste the given wordlist under payload set 1 and start the attack.

After the attack has been completed. It's obvious that one request has a longer response and a status code of 302 AKA redirect.

Trying to login with santa:cookie succeeds and we are able to see Santa's Itinerary.

What valid password can you use to access the "santa" account?

  • cookie

What is the flag in Santa's itinerary?

  • THM{SANTA_*******}

Last updated