Burp suite practices

Learning Objectives

In today’s task, we’re going to learn the following.

Understanding authentication and where it is usedUnderstanding what fuzzing isUnderstanding what Burp Suite is and how we can use it for fuzzing a login form to gain accessApply this knowledge to retrieve Santa’s travel itinerary

let’s enjoy the challenge Advent of Cyber 3.

1.Access the login form at http://MACHINE_IP

just click Question Done

2. Configure Burp Suite & Firefox, submit some dummy credentials and intercept the request. Use intruder to attack the login form.

just click Question Done

3. What valid password can you use to access the “santa” account?

cookie

I have tried to intercept the request, and get the connection is unencrypted because use http as protocol. The burpsuite is a very handy tool for brute force this login form.

setting scopeadd scope to intercept client requestmy intercept requestsend to intruder for setting bruteforce attack

I have the simple wordlist from tryhackme,

Navigate to the vulnerable login form at http://MACHINE_IP/ and apply the material for today’s task to login to Santa’s itinerary, using the username as “santa” and the password list located at /root/Rooms/AoC3/Day4/passwords.txt on the TryHackMe AttackBox (or download it from here for your payload.

load the wordlist

Start attack and get one of unique response.

I try this keyword as santa’s password login. And it’s work.

4. What is the flag in Santa’s itinerary?

THM{SANTA_DELIVERS}

Conclusion

Burp suite is awesome for beginners, but if you wanna use python or other tools for brute force attack, it depends on your preference.
If you are interested in learning more about Burp Suite, check out the Burp Suite module on TryHackMe.

Thanks.

[Day 4] Web Exploitation Santa’s Running Behind | Advent of Cyber 3 (2021) was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.