LogoLogo
  • 🤩Welcome!
  • Buffer overflow
    • Remote Buffer Overflow
      • Crashing the Application
      • Controlling the EIP
      • Finding Bad Characters
      • Finding a Return Address
      • Generating Shellcode
      • Getting a Shell
  • Wireless Penetration Testing
    • Wifi Pineapple - Tetra
      • Setup
      • Firmware Upgrade
      • Capturing Wireless Handshake
      • Cracking WPA2 Handshake
      • PineAP
      • Modules
  • PortSwigger Labs
    • Authentication
      • Username enumeration via different responses
      • Username enumeration via subtly different responses
      • Username enumeration via response timing
  • TryHackMe
    • 🎄Advent of Cyber 3 (2021)
      • [Day 1] Save The Gifts
      • [Day 2] Elf HR Problems
      • [Day 3] Christmas Blackout
      • [Day 4] Santa's Running Behind
      • [Day 5] Pesky Elf Forum
      • [Day 6] Patch Management Is Hard
      • [Day 7] Migration Without Security
      • [Day 8] Santa's Bag of Toys
      • [Day 9] Where Is All This Data Going
  • Google Cloud Computing
    • ☁️Cloud Computing Fundamentals
      • Getting Started with Cloud Shell and gcloud
      • Creating a Virtual Machine
      • App Engine: Qwik Start - Python
      • Cloud Functions: Qwik Start - Command Line
      • Kubernetes Engine: Qwik Start
      • Set Up Network and HTTP Load Balancers
Powered by GitBook
On this page
  • Story
  • Challenge

Was this helpful?

  1. TryHackMe
  2. Advent of Cyber 3 (2021)

[Day 2] Elf HR Problems

{Web Exploitation = Cookie Manipulation}

Previous[Day 1] Save The GiftsNext[Day 3] Christmas Blackout

Last updated 3 years ago

Was this helpful?

Story

McSkidy needs to check if any other employee elves have left/been affected by Grinch Industries attack, but the systems that hold the employee information have been hacked. Can you hack them back to determine if the other teams in the Best Festival Company have been affected?

Challenge

Accessing the site reveals a login form as shown below.

Registered an account to get an idea of what's going on in the application.

After registering the site announced that I didn't have permission to register for an account as shown below.

Taking a look at the cookies created by the site, we can see 2 values.

What is the name of the new cookie that was created for your account?

  • user-auth

Decoding the cookie with cyberchef reveals that hexadecimal encoding was used.

What encoding type was used for the cookie value?

  • hexadecimal

Decoding as hex, we are able to see the values in JSON format.

What object format is the data of the cookie stored in?

  • json

Now let's modify the username field to admin and re-encode it.

What is the value of the administrator cookie? (username = admin)

  • 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d

Now let's replace the existing cookie value with the value we just re-encoded.

After hitting refresh, the admin page appears on screen.

What team environment is not responding?

  • HR

What team environment has a network warning?

  • Application

🎄