hey guys, im really stucked in this part of the final skills assessment. once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the “alphanum-case.txt” wordlist from Seclist for the payload). the cookie it’s encode with b64 and ascii hex, i tried in several ways attacking with burp, but server response is always 200 ok for every payload. I really don’t know what i’m doing wrong… It’s suppose that if you take the cookie and add a final alphanum to the payload code b64-ascii hex, server will response anything different. any hint, please?
I make the same step and I don’t find solution.
Prepare the list of all possible 32char long hashes (31 + a-zA-Z0-9)
Use Burp Intruder to format the list entries (as You wrote encode with b64 and later with ascii hex)
I have tried multiple ways to get the flag. It seems that one can get it only by using Burp. (it is also what the hint says)