IntroToBurp

PicoCTF

Author: Nana Ama Atombo-Sackey & Sabine Gisagara

Description

Try here to find the flag

Hint 1

Try using burpsuite to intercept request to capture the flag.

Hint 2

Try mangling the request, maybe their server-side code doesn't handle malformed requests very well.

---

As the hint suggests try using burp suite.

This application https://portswigger.net/burp/communitydownload is a free application used for intercepting web traffic and analysis.

After the software is installed I went here and copy my settings.

After clicking the open browser and putting in the CTF link I am presented with this information:

Pressing the forward you can see the steps taken before you reach the end page.

What I found is that the webpage would attempt to check against an OTP if there was one setup, however removing this and forwarding the request would allow me to bypass the site.

To forward the code request, you need to be in the intercept tab and modify the data.

Next I am checking to see if I can find the flag.

flag found

My thoughts here is thinking the ways in which the web credentials should authenticate against of which in this exploit was not setup correctly.