Tactics Explored: fuzzing and bruteforcing URL paths
Tools: GoBuster and WFuzz
Sticking point: passing data to API
Something learned: Fuzzing something other than passwords
Todays challenge is my favorite so far. Story wise this has the least amount of story sadly. There's a brief mention that the forums have been hacked and it's up to you to work your way in via the api that you still have access to.
Day 4 is my favorite so far because it gave me somewhat of a challenge and I gained experience with fuzzing that I haven't done in other challenges or VulnVMs. The idea of fuzzing a date parameter or anything not a login never occurred to me. The part that gave me the biggest challenge was figuring out what to do with the date and then passing that date to the API. This is basically knowledge they've already taught in a previous day so they don't teach it here. I didn't want to spoil it by clicking through the old challenges so I had to think about it for a second.