Web Attacks - Bypassing Encoded References

I need help with the exercise:

Try to download the contracts of the first 20 employee, one of which should contain the flag, which you can read with ‘cat’. You can either calculate the ‘contract’ parameter value, or calculate the ‘.pdf’ file name directly.

I tried using Burp’s Decoder to try 1 to 20 numbers but I was unsuccessful. Reading the source code we can see that the value is first getting base64 encoded and then URL encoded. I was not able to create a curl command to generate the right encoded values for the numbers 1 to 20.

Any help would be greatly appreciated.

Thanks

I was able to figure it out.

I found that Burp is the easiest way to get the flag. You just need to understand that MQ%3D%3D is encoded for MQ==. This is also encoding for the number 1. It’s an encoding that we should be pretty familiar with by now. It took me longer to figure out than it should have.

1 Like

Use this simple script to convert 20 numbers to 20 base64 encoded numbers:

import base64
for number in range(1,21):
    n=str(number).encode('ascii')
    base64_bytes = base64.b64encode(n)
    base64_data = base64_bytes.decode('ascii')
    print(base64_data)

Then, go to Burp make a request for any contract on the page, intercept the traffic, send that traffic to Intruder, select a Sniper Attack, as a payload use simple list, paste base64 encoded values, and you will see that one response length is different than the others, that is flag. Feel free to PM me if you need help.

3 Likes

I was troubled by the way in which to initiate an enumeration of user identifiers for a given range in regards to the many features of BurpSuite™ until I was tutored on the appropriate use of the Payload Options™ [Numbers]™ type of payload and the necessary configurations. In other references to BurpSuite™ enumeration, the caution was in favor of the Simple List™ option.

Anyone else ignorant of which the Bash script to use or create for enumerating identifiers could find Number(s)™ to be useful by way of enabling and setting the Payload Processing™ feature to ‘Base64-encode’.

‘Add’ the ‘processing rule’ for the btoa() JavaScript encoder function by selecting the appropriate ‘rule type’. Next, start the ‘Sniper’ attack before observing the HTTP Response for the uid that matched with the HTB value during the process.

An excellent strategy which works perfectly and has prevented me from wasting time finding a way of creating a curl command with urlencoded values

1 Like

Thank you, I am glad it helped!
-Milos

Thank you very much! I was stuck on this question for almost 1 week. I would have never figured this out and would have wasted too much time.

1 Like

No problem! I am glad it helped, I appreciate the feedback!
-Milos

for anyone who wants to use bash script to solve this exercise, this is my script and it worked well.

#!/bin/bash

url="http://<IP:PORT>/download.php?contract="

for i in {1..20}; do
    for encodedid in $(echo -n $i | base64); do
        curl  "$url$encodedid" 
    done
done
1 Like

Thank you @tabbii.
I’m not sure why I wasnt able to perforn the curl request on that exercise, even with the switch -O.
Ultimately I had to perform a dictionary attack through Burp Intruder.

for i in {1..20}; do echo -n $i | base64; done

Just paste the output into Burp Intruder and pay close attention to the length of the response.

1 Like