Hsctf 2021

message-board

Solved by: Taz34

I logged in using the given credentials.

Found a cookie named userData with userID and username

here userID is 972 and username is kupatergent

Now i started looking into the given server code files and in one of the files named app.js i found this:

that indicates that we don’t need password for admin access we just need the correct user id.

So, now i fired up BurpSuite sent the request with cookie to the intruder replaced the username with admin and set the payload parameter at userID

Cookie: userData=j%3A%7B%22userID%22%3A%22§9§%22%2C%22username%22%3A%22admin%22%7D

Payload settings:

Also set up a grep match for flag{ as that is the starting of the flag

And now we have to look for a ticked checkbox for flag{ and in the response section of that response we have the flag

here we have the flag, we can confirm it on the website by changing the cookie values:

userID = 768
username = admin

flag{y4m_y4m_c00k13s}