damo.clanteam.com Security Challenge VI [Writeup]

alright this one is a tricky one . got some time for me to figure it out . so on first I spend about 1/2 hr trying to figure out what is happening . but when I saw a register page I got a feeling it has something to do with cookie  injection . so I started up Burp Suite and I logged in . all I had was a “PHPSESSID”  . I spend some time googling to see if there is anything up PHPSESSID . so almost everything was a dead end . but then when I was going trough Burp Suite history . I saw there were 2 deleted cookies when I was logging


those seemed like something to be concerned . after spending some time messing around . when I was logging in again . I ticked on  “Remember me” . so then I saw those two cookie parameters were saved in the session .


Now both parameters seems to be encrypted with base64 .so I used ruby to decode the base64

root@bt:~# echo “require ‘base64’; puts Base64.decode64(‘bnVrZTk5’)” | ruby

so its the obvious answer my ‘nuke99′ (username) so I encoded username “admin’ or ‘x’=’x”  and replace the parameter “usernamesch6” value .

root@bt:~# echo “require ‘base64’; puts Base64.encode64(‘admin\’ or \’x\’=\’x’)” | ruby



and now I’m logged in as the Admin. alright now goto the “members-only.php” and Submit your name with the replaced Admin session



Ok now cya until the next challenge


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s