Bruteforcing Cookies

Hi all,

I’m writing about the session brute forcing cookies, at the question:

“Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer.”

An example of cookie:

I tried all decoder and I couldn’t find any that works for it. Someone has any idea?

Before you continue, make sure you are trying the right cookie. That doesn’t look like the right format for the persistent cookie.

1 Like

Can some one help me how to decode 2nd question of Brute forcing cookie

question : Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer.

Hi, I am too stuck on same question2. Any hint on decode please

Hello everyone
-onthesauce, hints that the cookie file may NOT be correct.
Then the question is how to display the correct file?
(where to look for it, if not in BurpSuite)
Padding oracle attack should I use it in this task or should I look for the right cookies

Dont forget to check the “remember me” box! :wink:

I got persistence cookie from response but I don’t know how to decode HTBPERSISTENT=eJwrLU4tssooSSoF0tZF TmpVsUlpSmpeSXWJZm5qVaGZuZGRiaGpubmAE4LDlM= I tested from base64 but I don’t retrieve any hexadecimal value only raw bytes from there…Thanks in advance

If you haven’t done this yet, you should check out the example they give with Cyberchef during the module. If you replicate that you’ll get a hex value and then you can go from there (file signatures are your friend).

hey I found the file type and extension, what now ? where do I go from there ?

Not sure if you’re in the right thread? That sounds like a file upload question and not a cookie brute forcing question?

No, I am. It is part of cookie brute forcing lab. When it gets decoded, it gives out clues like file type, extension and MIME. Since you’ve solved it I was wondering what is next because I am not sure what to do with that info. I’ve re-read the course, still no clue

Ok I think I know what you mean. I assume you’re busy with question 2? Have you decoded to get a hex value and worked out the MIME? Did you manage to decode further and get the cookie details? The only thing you should get is user, role, and time. It’s the same as question 1, just encoded differently.

From there, you need to change the role and re-encode it. I think you’re mistaking file type/extension for encoding type. Use Cyberchef.

Sorry, I did use CypherChef and was able to get the first half of the cookie’s details, but not sure where to go from there

Use intense “Magic”, it will work. Magic is all you need to know to decrypt the cookie.

This cookie makes me crazy, I saw that it was composed of a fixed and variable part, if I take the fixed part, that I put it in Cyberchef, then I decode in base64 and after Magic, on 3 levels and intense… I get nothing conclusive… I tried so many things, that I don’t know anymore

while trying magic you have an option to give the keyword you know, hope tbis might help.

Happy Hacking.

thanks for your answer, I finally found it, but the magic function didn’t find anything… maybe I’m using it wrong…

try URL decoding before using the magic function

A thing that I got hung up on was try to reconstruct the original cookie by reversing the process. I could not reconstruct the same cookie that came, but the cookie I reconstructed still worked. I fought forever trying to reconstruct the exact same cookie to ensure my encoding was correct and this ended up being a waste of time. Just reversing what you did in cyberchef even if it comes up with a different result than the original still gives you the same access.

I’m feeling extremely stuck in this module, and it’s completely incomprehensible to me… Is there anyone who could message me and provide guidance? I’m in desperate need of support…