The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit ‘/skills/’ to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the “top-usernames-shortlist.txt” wordlist from Seclists.
Can you give me more detailed instructions what to do?
Thank you so much
Took me time to get this, but you’re in good position.
So after setting up your Payload with “084…” you need to set your processors to md5 hashes and then in the fuzzers tab all will appear with 200 and just resend to the browser to view the flag
For anyone else stuck with this, this article helped me - How are cookies passed in the HTTP protocol? - Stack Overflow
where can I found the “top-usernames-shortlist.txt” wordlist ?
Try : /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt
Hello,
I do not understand why I can’t do it, I fuzz the cookie 084 … But when I look at the answer, it is always 084, why?
Wanted to hop on here to say this was the straw that broke the camel’s back for me.
Feel there is a severe lack of direction. Will be continuing my bug bounty learning path on PortSwigger and cancelling my account here.
Good luck everyone on your journey, when something does not work, try a different way, a different perspective.
You know what, I’m beginning to get there. I really don’t understand why more information isn’t put into some of these sections? Or even a short video walk-through would be helpful. I do admit that at times I’m simply missing something and when I go back over it I can figure it out. However, this one really does appear to be missing some key info. Like where is it explained here in this section on how to use a wordlist like the one mentioned in the question? Also, when it says to “fuzz the cookie” is that whole thing so cookie=034e0343a0486ff05530df6c705c8bb4? Or is it just the hash after the =? I mean how hard would it be to just provide a bit more clarity in these instructions?
For those struggling, once you have fuzzed usernames that you have modified to be MD5 hashed encoded, look for the Size Resp. Body that is different.
From there you can right click and open in requester tab The flag is in the response body.
ZAP’s UI was very clunky, so I had to adjust the window sizes to see things clearly. So bear that in mind if you are struggling to navigate the app and it seems not to make sense…it might not be you that’s the problem 
For those throwing the towel after failed attempts, maybe pentesting isn’t for you (Please be persistent). Looks like all you need to do, is observe the resp. header size and send it to the requester tab. Method must change as well. Think GET vs POST? And you will be done with it. Still, I share your frustration about ZAP, but it’s all we got. Burp wouldn’t give a discount nor student access.
bro thanks so much for your help!
