When directed to the page, the first thing I do is take a look at the HTML with ‘Inspect Element’ in my browser window.
This element is particularly interesting, because it seems as though the creator has made a support account and left the credentials in a comment line (not common, but not unheard of either). The comment line in the bottom of the above image reads, “TODO: Remove this line , for maintenance purpose use this info (user:support password:x34245323)”. At this point, this is the first thing that I try before looking for things like hidden fields, functions that produce cookies, testing for XSS, SQL injetion, etc. To no surprise, the login works, and I am greeted with this screen:
Again, since there is nothing useful to see in the rendered HTML, I go back to ‘Inspect Element’ to see if I can find anything interesting. I notice that, since I am logged in, I should have a cookie for the established session. When I check there, this is what I find:
Here we see that there are two cookies that have been given to us by the server: PHPSESSID and role. Since the role cookie is in clear text, it is clear what our assigned role actually is. Out of curiosity, I ask myself, “What if I manually change my role from support to admin?” This is as simple as editing the cookie that is on my browser’s side and resubmitting it to the server.
A quick refresh of the page, and I am greeted with this next screen:
As we can see from this screen, the back end server accepted our cookie change and granted us administrative access to the website, revealing the flag, ‘hiadminyouhavethepower’.
Cyber's Cybersecurity Portfolio 