Election Day: any hint??

Salvatore [SalMau]
2 years ago | edited 2 years ago

6

I’m stuck in this level for weeks. I’m tryin to change the method for posting the vote, but nothing. I’m searching for different files but nothing. Any hint? Burpsuite could help? I only noticed that her ID is different from the others, but don’t know what to do. Merci!

SilverVVolf
a year ago

7

It’s very hard to give a hint for this one, but there are three steps (I know it’s kinda obvious and irritating answer, but…):
1. What do you need to do?
2. Why you cannot do it?
3. How to do it?
May be somebody can give a better hint.

Non-native English speaker, please be patient =)

Reply has been removed

eduardo.silva
a year ago | edited a year ago

5

well i i tried >> different encodings but nothing works. i wonder if i am in the right path :/

CH [CHO]
a year ago

4

Please, any more help with this challenge? I am stuck ( I am new to this whole thing) and I am starting to dispair :‘)

f0rk [HackingGuy]
a year ago

6

Once you identify the challenge, it becomes fairly straightforward.
I’d suggest extensively probing the application to understand what you can and can’t do.
Figure out ways to do what you want to do by bypassing measures that are attempting to stop you.

There’s no place like 127.0.0.1

CH [CHO]
a year ago

5

Thanks so much for your response! I have tried a lot…I compared all candidates and what happens when I try to vote, but appart from the 400 or 200 status message, the requests don’t seem to differ..cookies are exactly the same….:( Do I need burp for this or can I solve it with web dev tools? Thanks again!!

f0rk [HackingGuy]
a year ago

5

You’re looking too far into it. There is something that stands out when trying to vote as the level description says.

There’s no place like 127.0.0.1

CH [CHO]
a year ago

6

Thanks again for your help! The only thing that stands out to me is the d in her vote_id. But I will keep on trying :)

f0rk [HackingGuy]
a year ago

5

Good luck! :)

There’s no place like 127.0.0.1

jarvisanai
6 months ago | edited 6 months ago

5

reviving this thread for some hint . I know the waf is not allowing some characters and one of them is presented in the second candidate’s vote id . Can any one give a hint to put me on track

f0rk [HackingGuy]
6 months ago

5

You’re on the right track ;) keep trying what you’re doing!

There’s no place like 127.0.0.1

thecyphervault
2 months ago

5

I have been stuck on this challenge for a while now.

Something that I did notice was the number of characters in the candidate’s last name matches the number of digits in their vote_id.

Like others have posted in this thread, the WAF is clearly blocking certain characters, like the ’d' character in ?vote_id=62d784 but I have had my hair start to fallout trying to bypass this annoying WAF.

Any tips feel free to PM me!

2 replies have been removed

CH [CHO]
a month ago

5

Still stuck as well! been on the right track for a year now…but can’t figure it out! Any help?

Reply has been removed

Election day

6

7

5

4

6

5

5

6

5

5

5

5

5