Web Attacks - Bypassing Encoded References

HTB Content Academy
1

I need help with the exercise:

Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with ‘cat’. You can either calculate the ‘contract’ parameter value, or calculate the ‘.pdf’ file name directly.

I tried using Burp’s Decoder to try 1 to 20 numbers but I was unsuccessful. Reading the source code we can see that the value is first getting base64 encoded and then URL encoded. I was not able to create a curl command to generate the right encoded values for the numbers 1 to 20.

Any help would be greatly appreciated.

Thanks

2

I was able to figure it out.

4

I found that Burp is the easiest way to get the flag. You just need to understand that MQ%3D%3D is encoded for MQ==. This is also encoding for the number 1. It’s an encoding that we should be pretty familiar with by now. It took me longer to figure out than it should have.

1 Like
5

Use this simple script to convert 20 numbers to 20 base64 encoded numbers:

import base64
for number in range(1,21):
    n=str(number).encode('ascii')
    base64_bytes = base64.b64encode(n)
    base64_data = base64_bytes.decode('ascii')
    print(base64_data)

Then, go to Burp make a request for any contract on the page, intercept the traffic, send that traffic to Intruder, select a Sniper Attack, as a payload use simple list, paste base64 encoded values, and you will see that one response length is different than the others, that is flag. Feel free to PM me if you need help.

3 Likes
6

I was troubled by the way in which to initiate an enumeration of user identifiers for a given range in regards to the many features of BurpSuite™ until I was tutored on the appropriate use of the Payload Options™ [Numbers]™ type of payload and the necessary configurations. In other references to BurpSuite™ enumeration, the caution was in favor of the Simple List™ option.

Anyone else ignorant of which the Bash script to use or create for enumerating identifiers could find Number(s)™ to be useful by way of enabling and setting the Payload Processing™ feature to ‘Base64-encode’.

‘Add’ the ‘processing rule’ for the btoa() JavaScript encoder function by selecting the appropriate ‘rule type’. Next, start the ‘Sniper’ attack before observing the HTTP Response for the uid that matched with the HTB value during the process.

7

An excellent strategy which works perfectly and has prevented me from wasting time finding a way of creating a curl command with urlencoded values

1 Like
8

Thank you, I am glad it helped!
-Milos

9

Thank you very much! I was stuck on this question for almost 1 week. I would have never figured this out and would have wasted too much time.

1 Like
10

No problem! I am glad it helped, I appreciate the feedback!
-Milos

11

for anyone who wants to use bash script to solve this exercise, this is my script and it worked well.

#!/bin/bash

url="http://<IP:PORT>/download.php?contract="

for i in {1..20}; do
    for encodedid in $(echo -n $i | base64); do
        curl  "$url$encodedid" 
    done
done
2 Likes
12

Thank you @tabbii.
I’m not sure why I wasnt able to perforn the curl request on that exercise, even with the switch -O.
Ultimately I had to perform a dictionary attack through Burp Intruder.

for i in {1..20}; do echo -n $i | base64; done

Just paste the output into Burp Intruder and pay close attention to the length of the response.

1 Like
14

this is the one that worked for me. thanks

15

I need a little help with the script that they provided, it just downloads the ‘download.php’ with an error saying contract not defined.

16

Hello, everyone. I want to give two tips that would have helped me a lot to solve the challenge; one needs to adapt the curl command a bit to make the script run. Here are the two tips;

  1. Investigate the HTTP method used in the request in the lesson and in the challenge. Does it influence the flags we use?
  2. Investigate the ´-G´ flag of curl.