Secure Delaware CTF: External Pentest Writeup
Charles Adams
CEO & Co-Founder at Exploit Strike | Offensive Security Professional | Helping Businesses Stay Secure with Penetration Testing | Marine Corps Veteran
Problem Description
You are presented with a web application hosted by a (fake) company called ArdvarkSec. The application contains a login page that sets cookies based on the user’s authentication status. Your goal is to gain access to the admin interface and retrieve the flag.
Step 1: Analyze the Page
Upon visiting the page, you notice there is a login form requiring a username and password. You try admin:admin with no luck.
Step 2: Inspecting the Cookie
The first step is to inspect the cookie value that was set. You can do this by using the browser's developer tools. Here, you find that the auth cookie is set to:
Now you inspect the network traffic with Chrome's developer tools and find the 'auth' cookie has been assigned. Intuition tells us it's encoded in base64.
dW5hdXRo
Using a simple command in the terminal (echo dW5hdXRo | base64 -d), you find that the value is `unauth`, which indicates that you are currently not authenticated.
You can also use CyberChef, a super helpful data manipulation tool to encode/decode date.
领英推荐
Step 3: Cookie Manipulation
Since the cookie value is simply Base64-encoded, you can try changing it 'user' or 'admin' to see if you can gain access. You decide to encode the word `admin` in Base64. Running echo -n admin | base64 gives the encoded value:
YWRtaW4=
Or use CyberChef to get the base64 encoded admin cookie value:
Step 4: Setting the Cookie
Next, you use Postman to modify the auth cookie value to YWRtaW4=. After refreshing the page, you see a different message indicating successful login as the admin.
Step 5: Flag Retrieval
With the auth cookie set to admin, the page shows a welcome message for the admin user, and you can retrieve the flag displayed on the page:
CTF Flag: securede{0of_st4le_c00kies}
Step 6: Lessons Learned
Summary
This challenge demonstrates how weak authentication mechanisms, such as using Base64-encoded cookies without further verification, can be exploited to gain unauthorized access to sensitive areas of a web application. It highlights the importance of secure cookie handling, proper encryption, and avoiding the use of predictable encoded values for sensitive information.
Chief Technology Officer & Chief Information Security Officer at Lewis Brisbois | Chair of AI Committee, Technologist, Husband, Father | amateur hockey player and golfer |
4 个月CyberChef is amazing
Information Security Analyst | BS in Computer and Network security. A+ | Security+
5 个月Glad to have been able to participate in Secure Delaware's CTF! Thanks for the Write up!
Co-Founder & CEO, Cybersecurity Marketing Society | Cybersecurity GTM Industry Resource | Cybersecurity Marketing | Bees & Cybersecurity | Podcast Host | Community | (I like to build things & laugh a lot & tell jokes)
5 个月I did my first CTF at Secure Delaware with Andy Novocin yesterday! Was so cool! Thank you for writing this up!
Information Security Analyst | Network Security | Security + | PenTest+ | Father | Marine Corps Vet | Career Advice | Mentor
5 个月Sweet walk-walkthrough. Thank you for sharing!
Chief of Operations and Marketing @ Veteran and Minority-Owned Cybersecurity Pentesting Company | MBA in Marketing Analytics
5 个月Great conference! Met a lot of interesting people in the cybersec space!