Using Web proxies Skill Assessment Question #1

I feel that the way I got the flag for this is not how they wanted us to do it, but I could not figure it out with Burp Suite. I tried intercepting the request and sending in commands or even sending in HTML with enabled and even based that on the ID for the submit button.

The way I got it to work was just using the browser and firefox developter tools which I am much more familiar with. I just used the pages javascript to force it to allow it to be enabled and clickable. I would just like to know more about how to do this through burp.

1 Like

Yeah that question nearly broke me when I first started. I clearly got so unlucky that it took forever for the flag to come around.

There are two easy ways to solve it with Burp, one is via the repeater, the other is via the intruder. I am going to assume that you were able to enable the disabled button and then were able to capture the post request after enabling it.

Repeater:
This method is lazy and can be painful if you are unlucky, or not paying attention. When you capture that lucky.php post request, press ctrl+r or use the actions to send to the repeater. Then you simply just submit it over and over.

Intruder:

  1. Capture the post request and use crtl+i to send to the intruder.
  2. Clear the payload position and add your own header, something like: MeaninglessHeader: $1$ at the end of the headers.
    image
  3. Then under the payloads use the Numbers list type to run it a bunch of times.
    image
  4. Run the attack and look at the response size or grep for a flag.

I am sure that there are better ways, but you should go back and try those two methods. Get used to BurpSuite Intruder, it is an awesome tool.
-onthesauce

2 Likes

Yes, I was able to enable it via the console in the developer tools, but not with anything in burp. I will give it another go. Thanks for the feedback.

1 Like

Ohhh! I thought they showed you how to enable it with Burp in the module?

When you intercept it the first time, and before you pass it through, go to the options and turn on the intercept server response’s, it is just a check box. Then send the request and view the response given, that response is something you can edit.
image

1 Like

Yes, they do explain it. I went back and used both the repeater and the intruder to get it. I think the issue was I didn’t realize how many times that you had to click to get the right answer. When I used the browser console, I lucked out and it worked on the first try. It was almost 25 times when I did it with the repeater. Utilizing the match and replace in the proxy > options was an incredible time saver. Even once I was doing it right, I quit twice because I thought there was no way it would be more than 10 times.

Anyway, they do show you everything you need to complete it. Once I understood how many times it took to get the flag, it made it much more clear.

2 Likes