HackTheBox Web I know Mag1k Challenge

Challenge By : rkmylo

Challenge Description :   Can you get to the profile page of the admin?

Points : 50

Author : Rehman S. Beg (HTB Profile : MrReh )


Lets Start the instance and open the page, we get login page lets register an account (password should be alpha numeric special char)

After logging into the account doesn’t look like interesting, so we can intercept the request in brupsuite here we can see iknowmag1k cookie information.

After googling we found several interesting things, such as the oracle padding attack that utilizes the blocks of each bytes to decrypt the results of encryption. If you don’t know about padding orcale google it, we will decrypt that cookies value by using padbuster tool.

Coomand : profile url : http://docker.hackthebox.eu:31901/profile.php

cookie : 1wKY5FNCF3C6fJHwvjiaN4yqyPGtse%2FTC3BnjNQu7n2U495BvU1ieg%3D%3D

PHPsessionID : PHPSESSID=njmqjjt4298hb9s2a6b1lqu222

8 : block size

–ecoding : encoding format 0

our output gives us an ASCII, HEX and Base64 value, now we have decrypted cookie data we can create our own cookie. So we can use padbuster to make our own cookie we can append “-plaintext "{\"user\":\"reh\",\"role\":\"admin\"}” on our previous command and run once again

Now our output gives us our Encrypted value. Now all we had to do just replace the cookie and there we go.

FLAG : “HTB{Padd1NG_Or4cl3z_AR3_WaY_T0o_6en3r0ys_ArenT_tHey???}”          

Leave a Reply

Your email address will not be published. Required fields are marked *