Context#
There were issues with the original test environment (VMs), which affected some students, including me. Although I didn’t take the retest, I was allowed to submit a write-up based on the retest paper, which was a bit more difficult.
This write-up is based on that version of the paper. Since the answers weren’t released, I was asked to work through it and document my process.
Note: These types of papers rely heavily on screenshots, so there are quite a few included.
QUESTION 1 (25 marks)#
Target URL: http://TARGET_IP:42042
a. How many pages can be found in the directory
/pages/with status code 200? Include screenshot(s) and explanation(s) of your steps and tools used.
At first glance, this looks like a spidering question. There are 26 alphabets, so likely 26 endpoints under /pages/. We could have done this manually, but its an exam, and our only tool related to this was zaproxy
This scan gives us 27 results in the pages directory. Now clearly, it doesn’t end here. Some of this pages might be 404.
26 pages. Now, it still doesn’t end here.
We can still go deeper.
Directory enumeration. We were taught dirb with the common wordlist. Personally I prefer gobuster as its faster, cleaner, and works well here.
This gives us 199 other valid pages (status 200) from the wordlist.
So total count so far is:26 alphabet pages + 199 wordlist pages = 225 pages
BUT THATS NOT IT!
In the alphabet/b page, we see a link to buzzbuzz.
AND in the alphabet/f page, we see a link to fizzbuzz.
Final Count:225 pages + 2 pages = 227 pages
And thats it for Question 1