alright this one is a tricky one . got some time for me to figure it out . so on first I spend about 1/2 hr trying to figure out what is happening . but when I saw a register page I got a feeling it has something to do with cookie injection . so I started up Burp Suite and I logged in . all I had was a “PHPSESSID” . I spend some time googling to see if there is anything up PHPSESSID . so almost everything was a dead end . but then when I was going trough Burp Suite history . I saw there were 2 deleted cookies when I was logging
those seemed like something to be concerned . after spending some time messing around . when I was logging in again . I ticked on “Remember me” . so then I saw those two cookie parameters were saved in the session .
Now both parameters seems to be encrypted with base64 .so I used ruby to decode the base64
root@bt:~# echo “require ‘base64’; puts Base64.decode64(‘bnVrZTk5’)” | ruby
so its the obvious answer my ‘nuke99′ (username) so I encoded username “admin’ or ‘x’=’x” and replace the parameter “usernamesch6” value .
root@bt:~# echo “require ‘base64’; puts Base64.encode64(‘admin\’ or \’x\’=\’x’)” | ruby
and now I’m logged in as the Admin. alright now goto the “members-only.php” and Submit your name with the replaced Admin session
Ok now cya until the next challenge