Attacking Session Tokens

Obtain administrative access on the target to obtain the flag.

Step 1 - Decode the value of the parameter session:

• Login into the application

• Get the session id:

• Use DenCode to detect the type of encoding

• You can confirm with the following command:

Step 2 - Modify the role:

• Change the role to admin:

  • user=htb-stdnt;role=user

• Encode it:

Step 3 - Change the session id of the Request and get the flag:

• Modify the session id

• Resend the Request

• Search for the flag on the Response: