message-board Writeup
Hsctf 2021
Solved by: Taz34
I logged in using the given credentials.
Found a cookie named userData with userID and username
here userID is 972
and username is kupatergent
Now i started looking into the given server code files and in one of the files named app.js i found this:
that indicates that we don’t need password for admin access we just need the correct user id.
So, now i fired up BurpSuite sent the request with cookie to the intruder replaced the username with admin and set the payload parameter at userID
Cookie: userData=j%3A%7B%22userID%22%3A%22§9§%22%2C%22username%22%3A%22admin%22%7D
Payload settings:
Also set up a grep match for flag{ as that is the starting of the flag
And now we have to look for a ticked checkbox for flag{ and in the response section of that response we have the flag
here we have the flag, we can confirm it on the website by changing the cookie values:
userID = 768
username = admin
flag{y4m_y4m_c00k13s}