ACADEMY: Web Requests - a nudge would be appreciated...

Good evening all from the UK.
Stumbled across HTB a fortnight ago and I'm hooked.
However, if my skills matched my enthusiasm - I'd be laughing.

I've followed the two Academy modules "Web Requests" and "Javascript Deobfuscation" and successfully 'cracked into Hack the Box' - I must admit it was satisfying to say the least.

However there is one question in the Web Requests module that I couldn't answer - anyone able to offer me and additional nudge?

Its to do with the POST method page, and the question is:
"Login with the credentials guest / guest and try to get to admin."

I can of course log in, I'm assuming to 'get to admin' I am to swap the cookie from the admin login, demonstrated in the tutorial. and send that one rather than the guest one in Burp Suite - which I have done and I am able to get a different' non-guest user name in the admin screen - but this isn't the answer the question is looking for...

any pointers?

Tagged:

Comments

  • edited December 2020

    Oh - I sorted it...

    ... I was certainly thinking along the right lines in the above question - just had to think a little out of the box to get a 'admin' from the cookie...

  • hi Moe
    I couldn't get around this challenge
    any ideas?

  • The guest cookie logs you in as "guest_xxxxxxx"...

    ...It would be better if it logged you in as "admin" though ;-)

  • so just admin
    i did it before but as 'admin_xxxxxx'
    how stupid :)
    thanks man for the clarification
    have a nice day

  • edited December 2020

    Of course, as soon as I asked the question my brain started working and I was able to figure it out! Cheers!

  • edited January 1

    Spoiler Removed

  • Type your comment> @KonstantinS said:

    Of course, as soon as I asked the question my brain started working and I was able to figure it out! Cheers!

    Can you prompt please, what string is used to answer?

  • i have tried with burp suite to achieve admin auth
    i have two questions
    1- when i modify cookie it's necessary to encode "admin"?
    2- when i send from repeater with changed cookie i must be logged in with guest?
    thank you in advance to anyone will help me
    maurp

  • how you can get the admin cookie?

  • edited January 2

    I have answer welcome admin but the cookie that I use is not the correct answer, so why I get welcome admin? Is there an error in the module?

  • edited January 3

    Type your comment> @pit83 said:

    I have answer welcome admin but the cookie that I use is not the correct answer, so why I get welcome admin? Is there an error in the module?

    Support answered me only this

    Could you please confirm that you have tried without the unnecessary information after the account admin_generated_information as the task is to find a way to escalate to admin from guest.

  • Spoiler Removed

  • Spoiler Removed

  • Spoiler Removed

  • Type your comment> @pit83 said:

    incredible same answer different result, with me it's say bad answer I copy this

    I suppose it is need spawn new target and try again.
    Again encode cookie get flag and sent answer.

  • Hi Guys,

    Trouble understanding the tutorial and getting the flag, this is my understanding from the tutorial:

    1. login users name and password
    2. You get a session cookie associated with that users, in the tutorial its admin:password
    3. You remove the session cookie and try in, it failed as it cannot identify the client
    4. You paste in the session cookie you got above in step 2 and you are logged in

    The issue is the session cookie will always be for the user you logged in with. When following the tutorial i'm using the credentials guest:guest and therefore the session cookie is for the guest user.

    I've tried base64 decode the session cookie for the guest user and changing the name to admin and encoding it again in base64 but all this does is change the name from hello guest_xxxxx to hello admin_xxxx

    So what am I not understanding here? As far as I know I need the admin cookie to login or to manipulate the guest cookie in some way to login as admin. As mentioned above the tutorial didn't make sense as the same cookie issued to the user was just reused unless I'm missing something here?

    Any help would be greatly appreciated guys

  • Spoiler Removed

  • I am having issues with . . . getting from POST to see the
    cookie named PHPSESSID through the Set-Cookie header.

    In the htb, Web Request module, the question under the POST Method section asks:

    "Login with the credentials guest / guest and try to get to admin.

    Screen shot on the #fundamental-modules on Discord at https://discord.com/channels/473760315293696010/774040263278592041/804866224408100884

  • Spoiler Removed

  • For those who think they already have the admin but they have no right answer:
    There is a difference in html outputs between the two users. Try to investigate that.

  • I have found the flag. It says the flag is ...., I copy and paste the flag but it says incorrect. Please, help.

  • same module, but it's for GET requests. I studied it over and over, but I just couldn't understand how to answer the question:

    Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.

  • edited March 28

    Thanks

  • edited April 11

    I just finished the exercise. Very intelligent one. Were there any way to do it with curl? The cookie I obtained as guest with curl --cookie-jar cookies.txt 'blablabla didn't mentioned anything about auth...

  • I was a little bit lost here and I think the reason is that the ask is not very clear (and that's very good because when you figure out the answer you kind feel the try harder/out of box mindset going on)

    Long story short, the challenge is not about manipulating the cookie to login back with admin using the application.

    Play around with the get request and the cookie and pay attention to server response using burp. The answer is on the server's response to your request.

  • Okay, this challenge was really hard for me, I spent hours of my time doing this POST and GET requests in burp, the challenge was so confusing and it wasn't about finding which request or using admin and password credentials to get to the /dashboard page with as the admin.

    Look what you need to look for is only the cookie, before sending your request to the /dashboard.php just look for the cookie, and in burp suite, it even shows the decoded strings of the cookie, then you need to change the cookie to sth else, of course, decoded version of the cookie, which is guest_XXXX. So just change guest_XXXX to something else, this is sth you need to find, if I tell you this my hint will be deleted.

    Don't overcomplicate this, with /JSON or trying everything with command-line utility "curl", lol

    It took me so much to learn this and try all in the command line, and search for the missing part. The question is too confusing and if you just read the question carefully, you will find the answer in a second.

    Thank you all, peace

  • thanks for the clarification :) I was about to quit haah

  • Type your comment> @LaTreta said:

    I was a little bit lost here and I think the reason is that the ask is not very clear [...]

    Well, actually "Login with the credentials (guest:guest), and try to get to the admin user from what you learned in this section and the previous section." is not a question at all, note the "." instead of a "?". :P
    Digging the challenges in general, but the wording leaves quite alot to be desired fo sho.

  • I doubt I could have solved the POST question without the forum. Thanks all!

    dGhlIHByb3MgbWFrZSBpdCBsb29rIGVhc3kgb24geW91dHViZQ

  • edited July 22

    Send a GET request to flag.php with two parameters num1 and num2 such that their sum is 1337.

    I read all the comments I still came to a dead end help me figure it out!!!!!

Sign In to comment.