RootMe - HTTP POST Headers

RootMe – HTTP - POST Headers

Mission
Find a way to beat the top score!

Analysis

• The goal is to achieve a higher score than the current top (99999).
• Playing normally will never let you win — the score is likely validated or sent from the client side.

Solution steps

1. Intercept the POST request using Burp Suite (or any proxy) when submitting your score/game result.
2. Locate the parameter that holds your score value (likely something like score=... or similar in the POST body or headers).
3. Modify the score value to a number higher than 99999 (e.g., 100000 or 999999).
4. Forward the modified request → you win the game with the new high score!

Key takeaway
Client-side games or score submissions often trust the browser to send the correct value. Intercepting and tampering with POST parameters (or headers) is a classic way to bypass “impossible” restrictions in web challenges.

Finished. Happy Hacking!

Follow me:

• LinkedIn
• X

```