The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit ‘/skills/’ to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the “top-usernames-shortlist.txt” wordlist from Seclists.
Can you give me more detailed instructions what to do?
Thank you so much
Took me time to get this, but you’re in good position.
So after setting up your Payload with “084…” you need to set your processors to md5 hashes and then in the fuzzers tab all will appear with 200 and just resend to the browser to view the flag
For anyone else stuck with this, this article helped me - How are cookies passed in the HTTP protocol? - Stack Overflow
where can I found the “top-usernames-shortlist.txt” wordlist ?
Try : /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt
Hello,
I do not understand why I can’t do it, I fuzz the cookie 084 … But when I look at the answer, it is always 084, why?
Wanted to hop on here to say this was the straw that broke the camel’s back for me.
Feel there is a severe lack of direction. Will be continuing my bug bounty learning path on PortSwigger and cancelling my account here.
Good luck everyone on your journey, when something does not work, try a different way, a different perspective.
You know what, I’m beginning to get there. I really don’t understand why more information isn’t put into some of these sections? Or even a short video walk-through would be helpful. I do admit that at times I’m simply missing something and when I go back over it I can figure it out. However, this one really does appear to be missing some key info. Like where is it explained here in this section on how to use a wordlist like the one mentioned in the question? Also, when it says to “fuzz the cookie” is that whole thing so cookie=034e0343a0486ff05530df6c705c8bb4? Or is it just the hash after the =? I mean how hard would it be to just provide a bit more clarity in these instructions?
For those struggling, once you have fuzzed usernames that you have modified to be MD5 hashed encoded, look for the Size Resp. Body that is different.
From there you can right click and open in requester tab The flag is in the response body.
ZAP’s UI was very clunky, so I had to adjust the window sizes to see things clearly. So bear that in mind if you are struggling to navigate the app and it seems not to make sense…it might not be you that’s the problem 
For those throwing the towel after failed attempts, maybe pentesting isn’t for you (Please be persistent). Looks like all you need to do, is observe the resp. header size and send it to the requester tab. Method must change as well. Think GET vs POST? And you will be done with it. Still, I share your frustration about ZAP, but it’s all we got. Burp wouldn’t give a discount nor student access.
bro thanks so much for your help!
it was not hard at all. Just visit http://ip:port/skill/ just like question says.
Then your response contains a cookie.
Then use ''Open/Resend with request editor". Now you can select the cookie.
good luck
Greetings!
The task looks pretty simple, but after fuzzing all the cookies I still do not see the flag in any of the responses. Checked the ones with different content-length, checked every line manually, resetted the target and repeated, and to eliminate the ZAP GUI game with the response windows size even checked all cookies manually directly from cli with curl. No one attempt returned the flag on the page.
Any Ideas please?
Solved with curl after multiple resets of the target…
I solved it. You perform FUZZing with cookies (MD5 hash). Then, select any request and resend it using the Request Editor. You will be able to observe any requests you send with different cookies. After the Send process, the cookie will be set to ‘084e0343a0486ff05530df6c705c8bb4’.
The reason is that you clicked to disable ‘Accept Cookie.’ Then, set the Request Cookie to ‘ee11cbb19052e40b07aac0ca060c23ee.’
=>complete this Section
So, I completed this challenge by reading this thread. First of all, I needed to understand the correct use of Set-Cookie and Cookie, and then look for all the steps in ZAP, which is very hard. I don’t know what’s happening with the ZAP UI, but it’s very messy. For new users searching for help, try setting cookies with MD5 if you know what I mean ;).
And don’t give up, it took me 2 days.!!!
For everybody who is stuck you should try as followed to get the right request and response.
Open the target spawn address with port in the per-configured browser from the button in Zap, with /skills/ added: http://x.x.x.x:yyyyy/skills/
Within the HUD enable Break and reload the page
Check if the cookie is defined in the GET request/ break
–you can either review back in Zap in the Break section shown and right mouse-click and select Fuzz…
or
–you can copy the text from the HUD, open Fuzz from the tools in Zap, Select the GET under the skills folder and review if the cookie is present, if not, click Edit replace the request with the data copied earlier in the HUB.
Select only the cookie value
Add a payload as a file from the question, either in /opt/usefull/wordlists or /usr/share/wordlists
Add MD5 Hashes as processor
In the Options set concurrent scanning to 20
Start Fuzzing!
Review the responses, 1 will be noticeable different in Size Resp. Body and right mouse-click and select “Open in Requester Tab…”
I hope this helps…
