This is a write-up for the TryHackMe room: Advent of Cyber 2 , Day 3. Let’s get started!
[Day3] – Web Exploitation – Christmas Chaos
Let’s first navigate to the website!
Now turn on your BurpSuite proxy that you setup. (Follow the instructions in the room on how to do this).
Verify that the Proxy tab in BurpSuite has Intercept On.
Type in a random login, in this case I will use: user:test
You should see that request in BurpSuite
Right Click on the request and select Send to Intruder
Navigate to Intruder and you can see that the user and test is already highlighted by BurpSuite. Change Attack type to Cluster bomb. Now let’s create our payload lists. Go to the Payload tab.
Under Payload set: 1 add the user list that was given to us in the room.
Under Payload set: 2 add the password list that was given to us in the room.
Click Start attack!
Looking at the results, there is one line that has a different length than the others
Login with those credentials! NOTE: Make sure to turn off your proxy and refresh the page!
We have our flag!
Review
This was once again a great room! Can’t wait for Day 4!