Challenge Name: The Restricted Sessions
Flag is restricted to logged users only , can you be one of them.
As we can see, it tells us that we are not logged in, so we don’t have any flags to view. :( Let’s check the page source to look for any food, because I’m so hungry for flags!
As we can see here there is a Script which is:
<script type=”text/javascript”>
if(document.cookie !== ‘’){
$.post(‘getcurrentuserinfo.php’,{
‘PHPSESSID’:document.cookie.match(/PHPSESSID=([^;]+)/)[1]
},function(data){
cu = data;
});
}
</script>
what does that code mean?
If there is no PHPSESSID or the value of the session ID doesn't reveal anything, you can try the next step.
Step 2: Manually Set a Session Cookie
Since the web page mentions that you’re “not logged in” and you don’t have access to the flag, you could try setting a valid session cookie. If you can guess or obtain a valid PHPSESSID, the server might treat you as a logged-in user.
But I found this response while trying to manually set a session cookie:
I tried to put a random value in the PHPSESSID cookie, and it gave me this response: “Session not found in data/session_store.txt.” So now I’ve identified a new path: data/session_store.txt. I will add it to the URL of the challenge:
iuqwhe23eh23kej2hd2u3h2k23
11l3ztdo96ritoitf9fr092ru3
ksjdlaskjd23ljd2lkjdkasdlk
And it gives me those values, so now I’m sure that one of those PHPSESSID values will work. But is it the only cookie that the web uses to keep us logged in?
The answer is no. Let’s see what happens if I take one of those values and store it in the PHPSESSID value. What kind of response will we receive?
The UserInfo cookie doesn’t have the username, so validation failed. Now we know that there is another cookie, and its name is UserInfo. We don’t know its value, but we can use Burp Suite to perform a brute force attack using a username file. Let’s see our results:
As you can see, the UserInfo is “mary” in my case. I tried every line of my given PHPSESSID values until I found the right one that matched the UserInfo for “mary.” So I got the flag! I guess I could take it as breakfast because it’s 6:00 AM, dear. :)
Don’t share it with strangers:
Flag: sessionareawesomebutifitsecure
