Room: Advent of Cyber
Difficulty: Beginner
“Elves needed a way to submit their inventory —they have a web page where they submit their requests and elf McInventory can look at what others have submitted to approve their requests. It’s a busy time for McInventory as elves are starting to put in their orders. McInventory rushes into McElferson’s office:
I don’t know what to do. We need to get inventory going. Elves can log on but I can’t actually authorize people’s requests! How will the rest start manufacturing what they want?
McElferson calls you to take a look at the website to see if there’s anything you can do to help.”
For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.
Question #1: What is the name of the cookie used for authentication?
On your OpenVPN or Kali Machine, open up an internet browser and navigate to http://<your_machines_ip>:3000. Your machine IP is the VM you just deployed from the question.
This is what you should be seeing:
Because we are looking for cookies, let’s right click on the page and choose “Inspect Element (Q)”. You can also use a tool like Burp Suite to accomplish these tasks, but in some situations it may be easier and quicker just to use Inspect Element.
From here we want to make our way to the storage tab so we can view the cookies.
It’s empty now since no one has logged on. In order to generate some cookies, let’s register for the website and login.
After logging into your new Christmas Inventory account, you will now see that a cookie has generated in the Inspect Element section.
With this information, we can easily see the flag for Question #1.
Question #2: If you decode the cookie, what is the value of the fixed part of the cookie?
Let’s decode the value section in a decoder to see what it says in plain text. I like to use a tool called CyberChef.
Open up CyberChef in a different browser tab, click on your cookie value, copy, and then paste that into CyberChef’s input section. Yours will look different than mine.
So in order to use CyberChef and get something legible in the output section, we need to find the correct recipe. Cookies are commonly encoded using Base64.
Let’s drag “From Base64” into the recipe section so CyberChef can start baking.
The username that I chose was “AlienMoo”.
Using a fixed or predictable cookie value is something that an attacker can definitely leverage. This means that cookies will always be the same, but just have certain predictable differences.
If we registered a couple more fake users and repeated this same process to find that the decoded cookie values were username<same value as above>, we would be able to tell that this website was set up to accept fixed/predictable cookie values. We could then exploit that to log into anyone’s account that we have the username for.
This is what happens with another user I just registered named “Santa”:
As I suspected, santa<same value as above> means we are indeed dealing with a predictable cookie value.
We now have our flag for Question #2.
Question #3 After accessing his account, what did the user McInventory request?
We know we need to get into McInventory’s account so that he can start approving inventory requests for the elves and we can find our flag, so let’s change our input to mcinventory<predictable value>.
We will reverse the process with Cyber Chef. This time, instead of decoding FROM Base 64, let’s encode mcinventory<predictable value> TO Base 64.
Now let’s copy our CyberChef output so that we can manually place it in the cookie value slot, back in the Inspect Element area.
bWNpbnZlbnRvcnl2NGVyOWxsMSFzcw==
Hit enter, and then refresh the page. You have successfully hacked into McInventory’s account!
From the entries listed here, we can see the item that McInventory approved, and have captured our last flag!
Thanks for following along! I hope this was both fun and educational. The lesson here is NOT to let your server use fixed values for cookies. Instead, cookies should be set to randomly generate whenever a user authenticates so they are unpredictable.
Happy Hacking! ❤
