Help on skill assessment - Broken authentication

Can anyone help me with the cookie tampering. I am unable to decode the cookie.
Assess the web application and use various techniques to escalate to a privileged user and find a flag in the admin panel. Submit the contents of the flag as your answer.

I logged in as one of the support user. but stuck at cookie. Which cookie should I decode and which is the correct decoding algo. I tried decoding both below but no luck


you can’t decode htb_sessid_persistent, look only on htb_sessid. What is it looks like? For 1st step, use CyberChef and decode URL :slight_smile: Then maybe, you’ll have some hints. Or try this link

1 Like

yes, persistent cookie is a rabbit hole - look at its expiration date lol

once you cant decode anymore, look at unusual delimiters in the decoded cookie and it will give you an idea of how its formed

Use Hash-identifier and find out what is the algorithm being used after you got the hash from base64 decoding. If you find the algorithm, then check out if there are any tools that can crack that hash with any popular wordlist.