“McSkidy needs to check if any other employee elves have left/been affected by Grinch Industries attack, but the systems that hold the employee information have been hacked. Can you hack them back to determine if the other teams in the Best Festival Company have been affected?”
Learning Objectives:
- Understanding the underlying technology of web servers and how the web communicates.
- Understand what cookies are and their purpose.
- Learn how to manipulate and manage cookies for malicious use.
Link to Room: https://tryhackme.com/room/adventofcyber3
Question #1: What is the name of the new cookie that was created for your account?
Looks like today’s challenge will focus on manipulating cookies to gain privileged access.
The instructions state: “Register an account, and verify the cookies using the Developer Tools in your browser.”
Here is the website and login screen:
If you try to register an account, it will just tell you that you don’t have permission to do so. From here though, you can check out the cookies.
You can see the cookie by pressing F12 or right clicking anywhere on the screen and choosing “Inspect”. Some browsers are different than others. I usually use Firefox but for some reason I’m in Google Chrome today.
This shows the name of the cookie:
user-auth
Question #2: What encoding type was used for the cookie value?
Here, you can see that the cookie is encoded:
This looks like Hex.
hexadecimal
Question #3: What object format is the data of the cookie stored in?
I decoded it in CyberChef:
To me this appears to be JSON:
{company: “The Best Festival Company”, isregistered:”True”, username:”AlienMoo”}
Question #4: What is the value of the administrator cookie? (username = admin)
Now that I know the structure of the cookie, I can change it to anything I want and then reload the website. We already know that the username is “admin”. You can use CyberChef again to retrieve the admin cookie in Hex:
7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d
Question #5 What team environment is not responding?
You can just paste this over the original cookie value and then refresh the webpage normally. It will then pass your cookie to the server with the credentials you want.
Success!
We can see that HR is in red status.
HR
Question #6: What team environment has a network warning?
You can also see that “Application” is in yellow status.
Application
Happy Holidays! ❤
