[Day 1] Web Exploitation A Christmas Crisis
So the first day is a nice easy
Web Exploitation task. This goes overs cookies and cookie manipulation. Not reall that much to say on this one.... watch the video and start hacking.
For this one it is useful to have Cyber Chef open in a tab. If you have not used it before
Cyber Chef is a great tool that will aid you on your pentest journey......
Deploy your AttackBox (the blue "Start AttackBox" button) and the tasks machine (green button on this task) if you haven't already. Once both have deployed, open FireFox on the AttackBox and copy/paste the machines IP into the browser search bar.
Click the button :)
Register for an account, and then login..
One the machine has deployed goto the
IP Address in your browser, fill out the
password field and click
What is the name of the cookie used for authentication?
The easiest way to get this is to open
developer tools in your browser, this is normally achieved via using
F12. For instance using
firefox the cookie name is in the
In what format is the value of this cookie encoded?
If you copy the value of the cookie into
Cyber Chef and use the
magic recipe you can find the short hand name of the encoding, the answer requires the full version.
Having decoded the cookie, what format is the data stored in?
Once you have the cookie you will need to do some research on this.... hint below
Figure out how to bypass the authentication.
Once you have decoded your cookie you should be able to spot the way to exploit the system. HINT: The cookie only has 2 fields and only 1 which would change for different users
What is the value of Santa's cookie?
from the above alter the cookie for
santa, once done you will need to encode this using the encoding your found above. You can do this using
Now that you are the santa user, you can re-activate the assembly line! What is the flag you're given when the line is fully active?
Once you have the cookie for
santa using the developer tools you can overwrite your cookie with Santa's and refresh the page. Once you are Sant you can toggle the buttons and the
flag will appear at the bottom of the page.