The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit ‘/skills/’ to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the “top-usernames-shortlist.txt” wordlist from Seclists.
i got the username list i added the payload processing rules to convert the list to md5 hases but where should i put the pointer? there is no set cookies header please help how to enumurate?
First of all, didn’t you found the cookie in the header of the request? It should be there. In my case, it was the first thing i looked for and it took me just a refresh on the page to appear a cookie field in header. Try that and if it doesn’t work, paste the request header here so we can take a look.
no i didnt find any set cookie headers on request otherwise i would have done that, i got the set cookie header on response so thats why i dont know know how to fuzz it
Leaving this here for future help. ~Out of Scoop Solution~
So for this question, I didn’t have ZAP like this module suggests, yet there are many other approaches you can think and do.
Firstly, you need to check the Set-Cookie with the provided current cookie.
[Network panel] //Just for the sake of grasping cred and comparing it to later values//
Knowing that we already have the format we will encode in which is “MD5”, and also we have the wordlist ~top…~
we can combine them on a python script to encrypt each provided line in the wordlist with MD5 encryption using the library ‘hashlib’
After that, try to fuzz it using Ffuf with the flag -b for fuzzing cookies
you can find a similiar method in provided link.
~Param Fuzzing~
Upon couple of successful hits, we get guest cookie & user cookie ‘which has the flag’
From that point on, feel free to provide any tool with the cookie value you’ve found.
!