ACADEMY: Web Requests - a nudge would be appreciated

Spoiler Removed

For those who think they already have the admin but they have no right answer:
There is a difference in html outputs between the two users. Try to investigate that.

I have found the flag. It says the flag is …, I copy and paste the flag but it says incorrect. Please, help.

same module, but it’s for GET requests. I studied it over and over, but I just couldn’t understand how to answer the question:

Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.

Thanks

I just finished the exercise. Very intelligent one. Were there any way to do it with curl? The cookie I obtained as guest with curl --cookie-jar cookies.txt 'blablabla didn’t mentioned anything about auth…

I was a little bit lost here and I think the reason is that the ask is not very clear (and that’s very good because when you figure out the answer you kind feel the try harder/out of box mindset going on)

Long story short, the challenge is not about manipulating the cookie to login back with admin using the application.

Play around with the get request and the cookie and pay attention to server response using burp. The answer is on the server’s response to your request.

Okay, this challenge was really hard for me, I spent hours of my time doing this POST and GET requests in burp, the challenge was so confusing and it wasn’t about finding which request or using admin and password credentials to get to the /dashboard page with as the admin.

Look what you need to look for is only the cookie, before sending your request to the /dashboard.php just look for the cookie, and in burp suite, it even shows the decoded strings of the cookie, then you need to change the cookie to sth else, of course, decoded version of the cookie, which is guest_XXXX. So just change guest_XXXX to something else, this is sth you need to find, if I tell you this my hint will be deleted.

Don’t overcomplicate this, with /JSON or trying everything with command-line utility “curl”, lol

It took me so much to learn this and try all in the command line, and search for the missing part. The question is too confusing and if you just read the question carefully, you will find the answer in a second.

Thank you all, peace

thanks for the clarification :slight_smile: I was about to quit haah

Type your comment> @LaTreta said:

I was a little bit lost here and I think the reason is that the ask is not very clear […]

Well, actually “Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section.” is not a question at all, note the “.” instead of a “?”. :stuck_out_tongue:
Digging the challenges in general, but the wording leaves quite alot to be desired fo sho.

I doubt I could have solved the POST question without the forum. Thanks all!

dGhlIHByb3MgbWFrZSBpdCBsb29rIGVhc3kgb24geW91dHViZQ

Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.

I read all the comments I still came to a dead end help me figure it out!!!

If you are on the right track to begin with, then this can definitely be worked out just based upon the first 5 posts from Moe and Ibrahim. Don’t go down any crazy rabbit holes.

I don’t think they mentioned it, but [CTRL + B] is the hotkey to encode strings, I was using the Decoder and copying and pasting. :sob:

Sorry replied to wrong posting.

Hi did you get any hints or guidance on this one? Am currently lost on this one.

Maybe It will help someone, but “admin_XXXX” and “admin” are NOT the same accounts.

2 Likes

I thought this would we as simple as the challenge for GET requests. But, i was wrong. Clearly the asking is confusing.
I tried countless GET/POST/JSON and URL request.
the best to find clue is, turn off burp and then login/logout with guest user few times. make a note of cookie somewhere. find the pattern. do the same with admin/password find the pattern. find the relation between user (in welcome user message ) and cookie. do some decoding. you need to change the cookie so the user is what you are looking for.

read the question again.

identify the different between usernames
i.g.
guest, guest12333, guestxxxxx
adminxxxxxxxx, adminxx, admin
read the question again

I am not getting the cookie type as PHPSESSID
I am only getting auth.
What am I doing wrong? Can someone help?

Finally and after a long time and many failed attempts I got the flag. I could have never guessed without this forum the solution. In the first place the question is not very specific and you don’t know what you are looking for.

For those of you stuck as I was, you are looking for a flag.

The sequence is:

  • Get to the login page and type as the question suggests
    -Intercept the server response and its assigned cookie
    -before you move further this is the cookie you have to tamper with (guest_xxxxxx) and replace it.
    -Use your best judgement to replace it by another string (remember, you have to escalate as admin)
    -Encode the string as URL and place it in your request…You will see the FLAG finally in the server response