In Main 6, we have a drop-down menu with a list of names instead of a form. Like many puzzles, this actually has multiple solutions that I will demonstrate.
Our objective here is to forward Ronald to the server for validation. The easiest way to do this starts at the source code. By inspecting the site, we can see that the drop-down is a series of option tags. If you know about option tags, or read about them via the link, it simply defines options in the drop-down. However, there is a more important feature of the option tag, where it can send data to a server via the “value” attribute.
<select id="user" name="user">
<option>John</option>
<option>Petter</option>
<option>David</option>
<option>Sam</option>
</select>
The first, and easiest way to do this is to inspect the John element and change it to Ronald.
<select id="user" name="user">
<option>Ronald</option>
<option>Petter</option>
<option>David</option>
<option>Sam</option>
</select>
Another way this could work is by adding the “value” attribute as such. Although it is slightly more work, it will ignore the plaintext and specify the value the server reads. As you can see, despite the fact that we see the name “John”, the server receives the value of “Ronald”.
<select id="user" name="user">
<option value="Ronald">John</option>
<option>Petter</option>
<option>David</option>
<option>Sam</option>
</select>
BurpSuite Solution
We can also use BurpSuite to intercept the traffic being sent to the server and manipulate it post-validation. To do so, ensure BurpSuite is set up with a valid proxy and go to the site.
You don’t need to know anything about Burp to look at this image, but look carefully at what is being displayed on the right. We can see at the bottom that Burp is intercepting data being passed to HackThis, in the form of the user value equating to “John”. Before we forward the packet to the site, we can modify this value to “Ronald”.
The server will now accept the value Ronald instead of John, and the level will be complete when the data is forwarded.
| Previous: Main 5 | Next: Main 7 |