|
| 1 | +## Examining and editing the cookies set by the web server during your online session can have multiple outcomes, such as unauthenticated access, access to another user's account, or elevated privileges. If you need a refresher on cookies, check out the HTTP In Detail room on task 6. |
| 2 | +## The contents of some cookies can be in plain text, and it is obvious what they do. Take, for example, if these were the cookie set after a successful login: |
| 3 | + |
| 4 | +# Set-Cookie: logged_in=true; Max-Age=3600; Path=/ |
| 5 | +# Set-Cookie: admin=false; Max-Age=3600; Path=/ |
| 6 | + |
| 7 | +We see one cookie (logged_in), which appears to control whether the user is currently logged in or not, and another (admin), which controls whether the visitor has admin privileges. Using this logic, if we were to change the contents of the cookies and make a request we'll be able to change our privileges. |
| 8 | + |
| 9 | +First, we'll start just by requesting the target page: |
| 10 | + |
| 11 | +Curl Request 1 |
| 12 | +# user@tryhackme$ curl http://MACHINE_IP/cookie-test |
| 13 | +- We can see we are returned a message of: Not Logged In |
| 14 | + |
| 15 | +Now we'll send another request with the logged_in cookie set to true and the admin cookie set to false: |
| 16 | + |
| 17 | +Curl Request 2 |
| 18 | +# user@tryhackme$ curl -H "Cookie: logged_in=true; admin=false" http://MACHINE_IP/cookie-test |
| 19 | +- We are given the message: Logged In As A User |
| 20 | + |
| 21 | +Finally, we'll send one last request setting both the logged_in and admin cookie to true: |
| 22 | + |
| 23 | +Curl Request 3 |
| 24 | +# user@tryhackme$ curl -H "Cookie: logged_in=true; admin=true" http://MACHINE_IP/cookie-test |
| 25 | +- This returns the result: Logged In As An Admin as well as a flag which you can use to answer question one. |
| 26 | + |
| 27 | +CookieHashing |
| 28 | + |
| 29 | +# Sometimes cookie values can look like a long string of random characters; these are called hashes which are an irreversible representation of the original text. Here are some examples that you may come across: |
| 30 | + |
| 31 | +Original String |
| 32 | +Hash Method |
| 33 | +Output |
| 34 | +1 |
| 35 | +md5 |
| 36 | +c4ca4238a0b923820dcc509a6f75849b |
| 37 | +1 |
| 38 | +sha-256 |
| 39 | +6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| 40 | +1 |
| 41 | +sha-512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
| 42 | +1 |
| 43 | +sha1 |
| 44 | +356a192b7913b04c54574d18c28d46e6395428ab |
| 45 | + |
| 46 | +## You can see from the above table that the hash output from the same input string can significantly differ depending on the hash method in use. Even though the hash is irreversible, the same output is produced every time, which is helpful for us as services such as https://crackstation.net/ keep databases of billions of hashes and their original strings. |
| 47 | + |
| 48 | +Encoding |
| 49 | + |
| 50 | +Encoding is similar to hashing in that it creates what would seem to be a random string of text, but in fact, the encoding is reversible. So it begs the question, what is the point in encoding? Encoding allows us to convert binary data into human-readable text that can be easily and safely transmitted over mediums that only support plain text ASCII characters. |
| 51 | + |
| 52 | +## Common encoding types are base32 which converts binary data to the characters A-Z and 2-7, and base64 which converts using the characters a-z, A-Z, 0-9,+, / and the equals sign for padding. |
| 53 | + |
| 54 | +Take the below data as an example which is set by the web server upon logging in: |
| 55 | + |
| 56 | +# Set-Cookie: session=eyJpZCI6MSwiYWRtaW4iOmZhbHNlfQ==; Max-Age=3600; Path=/ |
| 57 | + |
| 58 | +## This string base64 decoded has the value of {"id":1,"admin": false} we can then encode this back to base64 encoded again but instead setting the admin value to true, which now gives us admin access. |
0 commit comments