TryHackMe AoC3 - Day 2 Walkthrough

For Aoc3 Day 2 we will be walking through exploiting HTTP(S)(Hypertext Transfer Protocol(Secure)) and cookies.

HTTP(S) is a client-server protocol to provide communication between a client and a webserver. (When you enter google.com into your web browser, this is the protocol that is being used.)

You can see HTTPS before Google.

Cookies are text files with tiny pieces of data about you. It could be your login information or just data that will personalize the experience for you.

Video Walkthrough: https://youtu.be/I6f-TaU4UeA

To see your cookies on Google Chrome, right click and select “Inspect”. Go to the “Application” tab. On the left side you will see “Cookies”, click the drop down menu and you will see current cookies for the site that you are on.

Cookies for Google.com

AoC3 Day 2- Web Exploitation ELF HR Problems

The first thing to do is go through all the information presented on the task to get a better understanding of HTTP and Cookies.

— — — — — — — — — — — — — — — — — —

Question 1: Open the static site (click the link)

— — — — — — — — — — — — — — — — — —

Question 2: What is the name of the new cookie that was created for your account?

Walkthrough: You will create a new account on the site static site by going to sign up and entering your Name, Password and email.

It will bring you to an error page that looks like this.

An error page after attempting to sign up.

Follow the instructions provided above to get to the cookie section of developer tools.

Once you get to the cookies, you should see Name, Value, and so on. The name is the answer for our first question.

Answer: user-auth

— — — — — — — — — — — — — — — — — —

Question 3:
What encoding type was used for the cookie value?

Walkthrough: You will find the cookie value under “Value”

You will see the full cookie value on the bottom under “Cookie Value”

Go to cyberchef to decode this value.

Put the “cookie value” in the input section and press Bake on the bottom.

Answer: Hexadecimal

— — — — — — — — — — — — — — — — — —

Question 4:
What object format is the data of the cookie stored in?

After decoding the hexadecimal we will have the results on the Output screen.

{company: “The Best Festival Company”, isregistered:”True”, username:”rubelefsky”}

This is a JSON string. We can tell it is a JSON because it has 3 properties and 3 values. Company, isregistered and username are properties and “The Best Festival Company” ,”True” ,”rubelefsky” are the values.

Answer: JSON

— — — — — — — — — — — — — — — — — —

Question 5: What is the value of the administrator cookie? (username = admin)

Now we are going to manipulate the cookie. Let’s take the JSON string and change the username from rubelefsky to admin.

Change FROM Hex → TO Hex

Press Bake and you will see the new output.

Answer: 7b636f6d70616e793a2022546865204265737420466573746976616c20436f6d70616e79222c206973726567697374657265643a2254727565222c20757365726e616d653a2261646d696e227d

Question 6: What team environment is not responding?

We have the new output back in hexadecimal form. Now we are going to add it to the original cookie.

The new value from Cyberchef is pasted into the old value.

Copy the new value, double-click the old value and paste the new one in.

After adding the new value. refresh the page. You should be now logged in as the admin.

Red usually means stop/not working.

Answer: HR

Question 7:
What team environment has a network warning?

Going by the last question, HR is the one that is not responding. Green usually indicates good activity. Yellow is a warning/hazard color.

Answer: Application