Walk-Through of Bepractical.tech lab #1

Today I am going to walk through bepractical.tech Lab #1. I have found this site to be especially helpful and enjoyable. I look forward to trying more of it’s content as/if it comes available. I am new to ethical hacking and would really like to help out others while learning. I am using Firefox and BurpSuite Pro in Kali Linux. This will not include any information on how to setup and use BurpSuite.

1: First we will login with the credentials given {john@bepractical.tech:john@123} to see how the site reacts

As you can see we were logged in as the correct user.

2: Now let us go back to the login page to intercept the same request with BurpSuite then send it to the Repeater.

3: In the repeater we hit “send” and see a base64 value showing “1”

4: Now send the request to repeater again (Right-Click Original Request)

5: Change the email address from “john@bepractical.tech” to “admin@bepractical.tech” and see what happens when we push send.

The response is showing “false”.

From here we know what needs to be manipulated.

6: Go back to the intercept and change the email field from “john@bepractical.tech” to “admin@bepractical.tech”(Don’t worry about the password field.)Then right-click/Do Intercept/Response to this request.

7: Hit forward and you will see the 200 OK response with the base64 version of “false”.

8: Highlight the Base64 characters. On the right hand side in the “decode from ” box, choose “Base64”(if needed) then delete “false” and type “1”. Now click “apply changes”

9: Click “Forward” and then “Intercept off” and go back to Firefox

It is good to note that an as an alternate way to do this, after step 5, one could just start over and fill the email input with the admin address and intercept the request using any password which would essentially bring us to pick up again at step 6. It really depends on your comfortability with Burpsuite.

I hope this was helpful for you. I look forward to learning more and someday find some bugs.