CyberTalents | The Restricted Sessions
Writeup of an medium-rated Web Exploitation Challenge from CyberTalents
Challenge Name
Challenge Description
- Flag is restricted to logged users only , can you be one of them.
Write-Up
Navigating to the provided URL, you will be presented with the following web page:
It says that the flag can only be seen to logged-in users, and since there is no login form and given the challenge name, it is certainly about Cookies
and Sessions
.
Source Code:
There is a JavaScript code in the code source of the web page which reveals something very interesting regarding the logic behind the check of logged-in users.
- The code checks if the
document.cookie
is not an empty string. It then extracts the value of thePHPSESSID
cookie using regular expression matchdocument.cookie.match(/PHPSESSID=([^;]+)/)[1]
- Next, it sends a
POST
request to the server using$.post()
method. The request is made to thegetcurrentuserinfo.php
endpoint, and thePHPSESSID
value is included as a parameter in the request body. - If the server responds successfully, the callback function specified as the 3rd argument of the
$.post()
method will be executed. Thedata
parameter of the callback function will contain the response from the server. In this case, it assigns the response data to the variablecu
.
In other words, when a user visit the main page, the JavaScript code will check if the PHPSESSID
cookie is set and has a value. If it’s the case, it will send a POST request to getcurrentuserinfo.php
endpoint, which will retrieve the current user information based on the provided PHP session ID. The response from the server is then stored in the cu
variable.
Stored sessions:
With that being said, let’s send a request, using curl
, to the main page /
with a PHPSESSID
cookie set to a random value (Just for testing purposes):
1
curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=1234567'
- The response says that the provided
PHPSESSID
does not figure indata/session_store.txt
file.
Let’s GET
the content of this file, by running the following command:
1
curl http://shfjhg&.cybertalentslabs.com/data/session_store.txt
- It looks like this file contains some PHPSESSID values (3 to be exact).
Let’s try one of them and send a request to the main page:
1
curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23'
- The response implies that we need another cookie named
UserInfo
that needs to be sent along withPHPSESSID
Unfortunately, we don’t have a valid username, but let’s send a random username (like admin
for testing purposes):
1
curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23; UserInfo=admin'
- As expected, we got a
Validation failed
message as a response from the server.
What's happening in the backend ?
In the backend, when we sent the latter request (the one with PHPSESSID
and UserInfo
cookies), the JavaScript code (the one we analyzed earlier) is executed and will send a POST
request to /getcurrentuserinfo.php
endpoint with the value of PHPSESSID
as a parameter. After that, the server will respond with information regarding the user holding the PHP session ID.
This information may include the username
, which will be compared to the UserInfo
Cookie. If it matches, the validation is valid. Otherwise, a Validation failed
message is returned from the server.
Interacting with getcurrentuserinfo.php endpoint:
Let’s manually send a POST request, using curl
as always, to this endpoint while sending one of the stored session IDs as a parameter:
1
curl -X POST http://shfjhg&.cybertalentslabs.com -d 'PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23'
- The response is
JSON
data, which contains information of the user with the PHP session ID we provided.
Flag:
At this point, we have a valid PHP session ID and a valid username. All that’s left to do is send a GET request to the main page /
with the following cookies: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23
and UserInfo=john
- Using cURL:
1
curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23; UserInfo=john'