Post

CyberTalents | The Restricted Sessions

Writeup of an medium-rated Web Exploitation Challenge from CyberTalents


The Restricted Sessions is a Web Exploitation challenge from CyberTalents, where the flag could only be viewed by logged in users. Additionally, there is no apparent login form, which means working with sessions and cookies was necessary to successfully authenticate as one of the already logged in user and get the flag.

Challenge Name

The Restricted Sessions Challenge


Challenge Description


  • Flag is restricted to logged users only , can you be one of them.

Write-Up


Navigating to the provided URL, you will be presented with the following web page:

Main page


It says that the flag can only be seen to logged-in users, and since there is no login form and given the challenge name, it is certainly about Cookies and Sessions.

Source Code:

There is a JavaScript code in the code source of the web page which reveals something very interesting regarding the logic behind the check of logged-in users.

JavaScript code


  • The code checks if the document.cookie is not an empty string. It then extracts the value of the PHPSESSID cookie using regular expression match document.cookie.match(/PHPSESSID=([^;]+)/)[1]
  • Next, it sends a POST request to the server using $.post() method. The request is made to the getcurrentuserinfo.php endpoint, and the PHPSESSID value is included as a parameter in the request body.
  • If the server responds successfully, the callback function specified as the 3rd argument of the $.post() method will be executed. The data parameter of the callback function will contain the response from the server. In this case, it assigns the response data to the variable cu.


In other words, when a user visit the main page, the JavaScript code will check if the PHPSESSID cookie is set and has a value. If it’s the case, it will send a POST request to getcurrentuserinfo.php endpoint, which will retrieve the current user information based on the provided PHP session ID. The response from the server is then stored in the cu variable.

Stored sessions:

With that being said, let’s send a request, using curl, to the main page / with a PHPSESSID cookie set to a random value (Just for testing purposes):

1
curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=1234567'

Requesting the main page with PHPSESSID cookie
  • The response says that the provided PHPSESSID does not figure in data/session_store.txt file.

Let’s GET the content of this file, by running the following command:

1
curl http://shfjhg&.cybertalentslabs.com/data/session_store.txt

Stored sessions
  • It looks like this file contains some PHPSESSID values (3 to be exact).

Let’s try one of them and send a request to the main page:

1
curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23'

UserInfo Cookie
  • The response implies that we need another cookie named UserInfo that needs to be sent along with PHPSESSID

Unfortunately, we don’t have a valid username, but let’s send a random username (like admin for testing purposes):

1
curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23; UserInfo=admin'

Validation failed
  • As expected, we got a Validation failed message as a response from the server.

What's happening in the backend ?

In the backend, when we sent the latter request (the one with PHPSESSID and UserInfo cookies), the JavaScript code (the one we analyzed earlier) is executed and will send a POST request to /getcurrentuserinfo.php endpoint with the value of PHPSESSID as a parameter. After that, the server will respond with information regarding the user holding the PHP session ID.
This information may include the username, which will be compared to the UserInfo Cookie. If it matches, the validation is valid. Otherwise, a Validation failed message is returned from the server.

Interacting with getcurrentuserinfo.php endpoint:

Let’s manually send a POST request, using curl as always, to this endpoint while sending one of the stored session IDs as a parameter:

1
curl -X POST http://shfjhg&.cybertalentslabs.com -d 'PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23'

JSON data
  • The response is JSON data, which contains information of the user with the PHP session ID we provided.

Flag:

At this point, we have a valid PHP session ID and a valid username. All that’s left to do is send a GET request to the main page / with the following cookies: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23 and UserInfo=john

  • Using cURL:
    1
    
    curl http://shfjhg&.cybertalentslabs.com -H 'Cookie: PHPSESSID=iuqwhe23eh23kej2hd2u3h2k23; UserInfo=john'
    

Flag via cURL


  • Using Firefox browser and Developer Tools (Storage):
Flag via Firefox Dev Tools


This post is licensed under CC BY 4.0 by the author.