DEV Community

DaNeil C
DaNeil C

Posted on • Edited on

0x00SEC CTF - Exercise #2

This weekend I took a dive into 0x00Sec's new bi-monthly CTF.

  • CTF Name: Exercise #2
  • Resource: 0x00SEC
  • Difficulty: Oddly Easy
  • Number of Flags: 1

Note::: NO, I wont be posting the found flag{}, but I will be posting the methods I used.


Flag0

  • Hint: Note in the Source Code of
    <!-- TODO: -->
    <!-- * Implement secure sessions -->

  • Acquired By:

    • First thing to do is to just to look at the source code. This shows nothing specific except the hint. All scripts are bootstrap that are being used and nothing looks custom.
    • Second thing is to see what it happening when a login is attempted with a "test:test" username:password combo. This showed that there was a "Cookie: PHPSESSID" that was being passed to the application.
    • Third: Now I want to look at that cookie and see what it is. At first looking at the string "YXV0aGVudGljYXRlZD1mYWxzZQo%3D" it looks like there is some URL-encoding so lets filter that out. For this I just Googled the "%3d" to see what it decoded to.
    • Forth: Now that I know it is URL encoded I used Burp Suites Decoder to take it a step further. Because the URL decoding puts ann '=' at the end I can see that it is now Base64 encoded and I now use Burps Base64 decoder.Alt Text This shows me that it is a simple phrase of "authenticated=false". Can I make it "true" and get it to accept any login??
    • Fifth thing I'm going to do is change the "false" to "true", re encode it, and try to get the site to accept it. For this I used Burp again.Alt Text
    • Sixth: I passed the request to the "Burp Repeater", pasted in my new encoded Cookie, resent the request, and poof! Flag is in the Response.Alt Text
    • Note: This can also be done in the browser by modifying the request and viewing the response in the Network Tab. Alt TextAlt Text
  • Thoughts:
    This was... oddly easy compared to the first exercise that I did. It took more time to write this up and it did to solve it.

Learned

This CTF taught me about using authorization cookies that simply accept true or false without verifying the user. This application did not give me an option to Register but I was able to bypass this by forcing it to accept my authorization by modifying the cookie. This is not a secure way to validate user and the cookie should be more than just "authenticated=true". I will be looking more into ways to use the cookie for security in a blog latter.


Happy Hacking

Resources

  1. https://ctf.0x00sec.org/
Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Top comments (0)