Attacking Session Tokens

Obtain administrative access on the target to obtain the flag.

Step 1 - Decode the value of the parameter session:

• Login into the application

• Get the session id:

• Use DenCode to detect the type of encoding

• You can confirm with the following command:

  • Copy

    echo -n 757365723d6874622d7374646e743b726f6c653d75736572 | xxd -r -p

Step 2 - Modify the role:

• Change the role to admin:

  • user=htb-stdnt;role=user

• Encode it:

  • Copy

    echo -n 'user=htb-stdnt;role=admin' | xxd -p

Step 3 - Change the session id of the Request and get the flag:

• Modify the session id

• Resend the Request

• Search for the flag on the Response: