Manipulating Authorization Token Using Burpsuite

Manipulating Authorization Token Using Burpsuite

During the web application security assessment on a web API, the Authorization Token had some limitation which it is only valid for 5 minutes. Burpsuite unable to perform a complete scanning or if it is completed, the result is not accurate due to the Authorization Token keep changing in 5 minutes timeframe.

To overcome this issue, we need to find a way how to bypass this restriction as Burpsuite require a valid token each time it performs scanning as well as the repeater and intruder. Search on google lead us to a website where they wrote a Burp extender (written in python) to fetch the new token and replace it in the header every time Burpsuite make a request. The Burpsuite extender inspect every request for the tag ‘Authorization: Bearer’ in its header and after that delete it and replace it with the new one in order for the current session to be valid. The bearer token was generated by the following request, the bearer token will be included in JSON keyword called ‘###Token‘ inside the response body.

Create Macro in Burpsuite

To automate the process, we need to create a macro in Burpsuite. The macro will initiating a request to the server to refresh the bearer token. In Burpsuite go to Project Options – Macro:

burpsuite add new macro

Macro Recorder screen will be prompted, select the request that generate the bearer token.

burpsuite macro recorder burpsuite macro recorder

Create Session Handling Rules in Burpsuite

To replace the expired token with the new one, we need to create a macro in Burpsuite (explained above). The macro will initiate a request to get the new bearer token before the Burpsuite extender fetch the new generated token and replace it in the request header. To do this, we need to create a new session handling rules in the Burpsuite.

create burpsuite session handling rule

The rule basically check for HTTP header that match the defined expression “HTTP/1.1 401 Unauthorized”.

burpsuite session handling action editor

If the response match, it will run the macro and after completed it will invoke Burpsuite extender to fetch the new generated bearer token and replace it to the request header.

burpsuite session handling action editor


burp extender output burpsuite scanning result


Bearer Authorization Token (Burpsuite Extender)

WargamesMY CTF December 2018: Missing Word

WargamesMY CTF 2018: Missing Word

The challenge in WargamesMY CTF 2018 require us to crack a portion of the flag which is the missing 6 characters consist of upper case and lower case denominate as XXXXXX as per below:


The SHA256 hashsum of the complete flag were given.


Obviously it is a password cracking challenge therefore we will be using Hashcat for this task.

First, we need to generate a custom wordlists. We simply use this Python Wordlist Generator script found on github. (I promise i will learn more later how to generate wordlists using Hashcat itself :P)

We modified the code a bit to suit the requirement.

But it seems like it will take forever and the output wordlists size were huge. Then the idea is to split the wordlists into 2 part and generate only the last 3 character for the first part while generate only the first 3 character for the second part of the wordlists. We will use Hashcat combinator mode (-a 1) later.

Finish generated both part of the wordlists within few seconds and total file size only less than 5mb this time.

Let’s crack it!

Hashcat argument:
-a 1 : combinator mode (combine both wordlists)
-m 1400 : cracking sha256 mode
missing_word.hash : the sha256 hash file
left.txt : first part of the wordlists
right.txt : second part of the wordlists

With less than hour (22 minutes to be exact) we managed to crack it and we got first blood for the challenge.

wargamesmy missing word

Flag : wgmy{h3r3_1s_y0ur_pRiZEe_br0!}

Update: As mentioned above, here is the way how we can solve this challenge using Hashcat.

Hashcat with GPU:


WargamesMY CTF 2018: PHP Sandbox

WargamesMY CTF 2018: PHP Sandbox.

P/S: We forgot to take screenshots for the writeup on this one, luckily there still Burp history available.

View page source we found <!– source code ./source.txt –> in html comment. View source.txt we got:

wargamesMY ctf php sandbox

Basically it is a single web page & form that take user input in parameter code and pass into eval() function.

Great! never think WGMY web challenge will be this ez pz. Lets try to do RCE..

wargamesMY ctf php sandbox

Snap! never under estimate the troll level of WGMY challenge author. All command execution function is disabled. var_dump(ini_get(‘disable_functions’)); reveal all the disabled function:

So that explain why the name of the challenge is PHP Sandbox.

Later we found scandir() is usable and reveal the target flag file .supers3cr37file.php in the same www directory.

wargamesMY ctf php sandbox

Most of the read/view file function is also disabled (maybe not all, we just cant think of any else at that time). Later we found FTP Function is usable. The idea is to transfer the flag back to us via FTP, so we run FTP server in our box.

Submit above code.

wargamesMY ctf php sandbox

Target flag file were successfully transfer to our box and finally,

$ cat flagphpsandbox.txt
<?php /*$flag = ‘wgmy{func_bl4ck1ist_1z_s0_b4d}’;*/ ?>

Flag : wgmy{func_bl4ck1ist_1z_s0_b4d}

References: PHP Scandir Function
Read All Writeup : WargamesMY CTF 2018 Writeup

WargamesMY CTF 2018: You Math Bro?

WargamesMY CTF 2018: You Math Bro?

Challenge required to answer 30 questions within 40 seconds and clearly requires some form of automation.

Program also throws occasional extra text, make accommodations for it.

Let’s write a script.


wargamesmy ctf 2018 you math bro wargamesmy ctf 2018 you math bro

Flag : wgmy{d0_you_ev3n_m4th_br0}

Wargames.MY December 2018 – Teka Teki Pakcik Bawang

We were given a .onion URL and there is a “Flag” page on the website which contain the hint for this challenge.

So basically, we need to identify the real ip of the website to get the flag. There is a hint released which shed some light:

Information Gathering: where do we run our CTF infra.

From the hint above, we then identified all subdomain IP address:

The next step is to identify the available host within the subnet which listening to port 80. After going through all the hassle we lastly found one.

nmap -PN -p 80 --open -oG - | awk '$NF~/http/{print $2}' >> DCSG.txt

and we get the list of hosts…[output snipped]

Write simple script to grep the info like title.


cat DCSG.txt | while read output
curl http://$output --max-time 3 | egrep 'No DB CMS' >> DCSGresult.txt
echo $output >> DCSGresult.txt

and return our expected result.

Access the website using IP address and here is our flag.

Flag : wgmy{bawang_membawang_tok_pawang}

Lesson learned: use http-title instead. 🙂