Attacking VulnTraining Part 5

Since I have a bit of time while watching stuff, I decide to run more parameter fuzzing on the billing, root domain and random subdomain. I start with billing running ffuf -t 4 -p 0.1 -w ~/ctfs/ctfchallenge/wordlists/parameters.txt -u http://billing.vulntraining.co.uk\?FUZZ\=true -H "Cookie: ctfchallenge=[CTF_CHALLENGE_TOKEN]; token=[AUTH_TOKEN]" -mc all -fs 3542-3547, filtering out anything that is the same response size of the original page.

I get a parameter of api back, it responds with <h1>API Error</h1> when given a parameter, which has a response size of 18 bytes, which then falls outside of my size filter. I decide to try a few parameters, such as v1, v2, 1, 2 and true but I still get the same response. I decide to try and fuzz using the parameters file but using it as the value, not the key using ffuf -t 3 -p 0.05 -w ~/ctfs/ctfchallenge/wordlists/parameters.txt -u http://billing.vulntraining.co.uk\?api\=FUZZ -H 'Cookie: ctfchallenge=[CTF_CHALLENGE_TOKEN]; token=[AUTH_TOKEN]' -mc all -fc 500, but I then try the content file ffuf -t 3 -p 0.05 -w ~/ctfs/ctfchallenge/wordlists/content.txt -u http://billing.vulntraining.co.uk\?api\=FUZZ -H 'Cookie: ctfchallenge=[CTF_CHALLENGE_TOKEN]; token=[AUTH_TOKEN]' -mc all -fc 500, but both do not give a result.

I then decide try to and guess an endpoint, I go through users, invoices but I do not get a response until I use invoice and user. But the problem is I only get timeouts, so it looks like I need more parameters. I decide to focus on invoice, I start with billing.vulntraining.co.uk?api=invoice&id=1 but that does not return anything, same thing api=invoice/1 and /?api=invoice?id=1 (thinking that perhaps the api parameter is taken and added to the end of another URL request. I decide to go back to the GitHub repo and look for anything around the work API.

The repo has no instances of the term api, so I try reading through the code more to try and learn how the api parameter may be used. I see some interesting regex functions, some with code reading around account hash and hash. There is obviously more I do not know here.

I decide to call it a night here, it is late and I am not making any progress.