Dashboard Articles Playground Discussions More
Follow

Election Day: any hint??

Election day

Salvatore [SalMau]
3 years ago | edited 3 years ago

9

I’m stuck in this level for weeks. I’m tryin to change the method for posting the vote, but nothing. I’m searching for different files but nothing. Any hint? Burpsuite could help? I only noticed that her ID is different from the others, but don’t know what to do. Merci!

19replies
16voices
1,870views
SilverVVolf
2 years ago

9

It’s very hard to give a hint for this one, but there are three steps (I know it’s kinda obvious and irritating answer, but…):
1. What do you need to do?
2. Why you cannot do it?
3. How to do it?
May be somebody can give a better hint.

 

Non-native English speaker, please be patient =)

Reply has been removed
eduardo.silva
2 years ago | edited 2 years ago

7

well i i tried >> different encodings but nothing works. i wonder if i am in the right path :/

CH [CHO]
2 years ago

6

Please, any more help with this challenge? I am stuck ( I am new to this whole thing) and I am starting to dispair :‘)

f0rk [HackingGuy]
2 years ago

8

Once you identify the challenge, it becomes fairly straightforward.
I’d suggest extensively probing the application to understand what you can and can’t do.
Figure out ways to do what you want to do by bypassing measures that are attempting to stop you.

 

There’s no place like 127.0.0.1

CH [CHO]
2 years ago

7

Thanks so much for your response! I have tried a lot…I compared all candidates and what happens when I try to vote, but appart from the 400 or 200 status message, the requests don’t seem to differ..cookies are exactly the same….:( Do I need burp for this or can I solve it with web dev tools? Thanks again!!

f0rk [HackingGuy]
2 years ago

7

You’re looking too far into it. There is something that stands out when trying to vote as the level description says.

 

There’s no place like 127.0.0.1

CH [CHO]
2 years ago

8

Thanks again for your help! The only thing that stands out to me is the d in her vote_id. But I will keep on trying :)

f0rk [HackingGuy]
2 years ago

7

Good luck! :)

 

There’s no place like 127.0.0.1

Reply has been removed
f0rk [HackingGuy]
a year ago

7

You’re on the right track ;) keep trying what you’re doing!

 

There’s no place like 127.0.0.1

thecyphervault
a year ago

7

I have been stuck on this challenge for a while now.

Something that I did notice was the number of characters in the candidate’s last name matches the number of digits in their vote_id.

Like others have posted in this thread, the WAF is clearly blocking certain characters, like the ’d' character in ?vote_id=62d784 but I have had my hair start to fallout trying to bypass this annoying WAF.

Any tips feel free to PM me!

2 replies have been removed
CH [CHO]
a year ago

7

Still stuck as well! been on the right track for a year now…but can’t figure it out! Any help?

Reply has been removed
jules70
a year ago

2

jules70 knows says that https://defendtheweb.net/extras/playground/election/?vote_id=62d784 return an error : Request denied by SuperSecureWAF 1.2b
in addition firefox say that in his dev tools (ctrl+shift+I) (keyboard shortcut) in this adress network tab shows : 400 Bad Request so http error 400

I know that with burpsuite, we can change error 400 to the state 200 (=all is OK, ok), so as there is no error the communication is made and we have the password.

But I have no many experiences with BS, I have see with youtube tutorial about that, I hope that in the future I will resolve this chall

I say all of that for help the people interesting in hacking

see you

thecyphervault
a year ago | reply to #91748

1

I intercepted Burpsuite responses and changed the code from 400 to 200 but it did not work.

Good idea though.

thecyphervault
9 months ago

2

sitemap.xml gives a strange error message.

When I am on my laptop I will view the source of that page.

https://defendtheweb.net/extras/playground/election/sitemap.xml

Kaldah
9 months ago

3

Hello !

You can also write “test.html” and it shows the same error message, it’s just the website error message when you try to go to a file that doesn’t exist, for example : https://defendtheweb.net/test42.html

2 replies have been removed
🐉 [Cheerfulbull]
6 months ago

0

Thank you for your help, with that I was able to solve the challenge in a matter of minutes!

 

Roses are red,
Violets are blue,
AES(level) is bad
And I might be too

2 replies have been removed
BloodCover
a month ago

0

Still stuck for several week. Any hint? I just try many encode to convert “d” but it seems wrong.

🐉 [Cheerfulbull]
a month ago | edited a month ago

2

Insted of encoding the d, try doing something so that the d is never found…(Tell me if this is a spoiler)

 

Roses are red,
Violets are blue,
AES(level) is bad
And I might be too

BloodCover
a month ago

0

OK I got the point. It is blind spot. Thanks a lot.

You must be logged in to reply to this discussion. Login
1 of 20

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss