The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit ‘/skills/’ to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the “top-usernames-shortlist.txt” wordlist from Seclists.
Can you give me more detailed instructions what to do?
Thank you so much
You know what, I’m beginning to get there. I really don’t understand why more information isn’t put into some of these sections? Or even a short video walk-through would be helpful. I do admit that at times I’m simply missing something and when I go back over it I can figure it out. However, this one really does appear to be missing some key info. Like where is it explained here in this section on how to use a wordlist like the one mentioned in the question? Also, when it says to “fuzz the cookie” is that whole thing so cookie=034e0343a0486ff05530df6c705c8bb4? Or is it just the hash after the =? I mean how hard would it be to just provide a bit more clarity in these instructions?
For those struggling, once you have fuzzed usernames that you have modified to be MD5 hashed encoded, look for the Size Resp. Body that is different.
From there you can right click and open in requester tab The flag is in the response body.
ZAP’s UI was very clunky, so I had to adjust the window sizes to see things clearly. So bear that in mind if you are struggling to navigate the app and it seems not to make sense…it might not be you that’s the problem
For those throwing the towel after failed attempts, maybe pentesting isn’t for you (Please be persistent). Looks like all you need to do, is observe the resp. header size and send it to the requester tab. Method must change as well. Think GET vs POST? And you will be done with it. Still, I share your frustration about ZAP, but it’s all we got. Burp wouldn’t give a discount nor student access.