# \[Day 2] Elf HR Problems ## Story McSkidy needs to check if any other employee elves have left/been affected by Grinch Industries attack, but the systems that hold the employee information have been hacked. Can you hack them back to determine if the other teams in the Best Festival Company have been affected? ## Challenge Accessing the site reveals a login form as shown below. ![](/files/oqXcBLThH3gBZkKilagh) Registered an account to get an idea of what's going on in the application. ![](/files/6v4DNByYL8edPh0U0nkx) After registering the site announced that I didn't have permission to register for an account as shown below. ![](/files/bNvHVhgp4uOHUGKSUrcX) Taking a look at the cookies created by the site, we can see 2 values. ![](/files/DuNpciFAQNqEL6wZ0wux) {% hint style="success" %} What is the name of the new cookie that was created for your account? * user-auth {% endhint %} Decoding the cookie with cyberchef reveals that `hexadecimal` encoding was used. ![](/files/NcxNzttb43EVnhezY1eY) {% hint style="success" %} What encoding type was used for the cookie value? * hexadecimal {% endhint %} Decoding as hex, we are able to see the values in `JSON` format. ![](/files/1U32BmisnRKxuP75t44y) {% hint style="success" %} What object format is the data of the cookie stored in? * json {% endhint %} Now let's modify the username field to `admin` and re-encode it. ![](/files/EkzjU6hUSKTnur0d64et) {% hint style="success" %} What is the value of the administrator cookie? (username = admin) * 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d {% endhint %} Now let's replace the existing cookie value with the value we just re-encoded. ![](/files/dRoXqi79iijuxcmyl5O7) After hitting refresh, the admin page appears on screen. ![](/files/UFhdvJrjISQqpLJ8f8m0) {% hint style="success" %} What team environment is not responding? * HR {% endhint %} {% hint style="success" %} What team environment has a network warning? * Application {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://repo.4pfsec.com/tryhackme/advent-of-cyber-3-2021/day-2-elf-hr-problems.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.