Anyone able to give me a nudge on how to complete the Session Security Skills Assessment? I am able to query the API endpoint (http://minilab.htb.net/submit-solution) and have the Target connect to my netcat listener or a hosted file, and I see a message indicating AdminVisited = True. So i suspect something like this is needed to find the admin auth-session. But when I use wireshark , the auth-session cookie is the same as when I just navigate to the login page.
Right now I am kind of at a loss as to how to proceed, so any hints would be much appreciated!
Edit: SOLVED! If anyone needs help feel free to DM me
@jarednexgent, Hey I sent you a DM, but please disregard it. I just solved it. Kinda kicking myself for wasting so much time lol.
To anyone who is on the skills assessment and comes here struggling. Take a deep breath and stop overthinking it. I am gonna say right now that the hint was misleading as all ****. I went down some crazy rabbit holes for like 3 hours only to sleep on it and get it in less then 30 minutes today!
It was a good final assessment though. But, as always feel free to reach out.
-onthesauce
I wasted so much time trying to chain exploits together in stupid ways to get the admins profile to be visible. Only to realize, if the profile was visible, I still wouldn’t be able to find it because I didn’t know the email haha!
This is a good thought in the right direction. And should be hint enough. Since you don’t know the admin’s email address there is no point in replicating the XSS/CSRF lab. Find a way to compromise the admin session.
Step 1: Understand the endpoint
Step 2: Performing XSS attack to Session Hijacking to get the Admin’s cookie
Step 3: Replacing the Admin’s cookie to compromise the admin’s profile
Try revisiting the Cross Site Scripting module “Session Hijacking” section. I used the exact same technique . You can do XSS on Julie’s profile page, and then use the API endpoint to make the admin visit her profile and steal the admin cookie.
i agree with the overthinking part. I feel like the module content was different than the other ones. This one felt a little bit unrefined and unfocused, so it gives you the impression that the skills assessment is harder than it really is.
some high level tips
identify the session identifier
identify the vulnerability on the form
once the vulnerability gives you what you need, how do you “feed” it to others? and how do you “catch it” back?
(hint: if you are thinking other “end users” will “trip over” your payload…think again…this is where i got stuck)
that random API endpoint in the scope feels CTF’y but it’s an important part of the exercise, once you got an answer from it, the rest falls apart
Hello, I’m struggling for quite a long time (> 5 days) now to finish this challenge. I know (I think) the vulnerability field and action for XSS exploit and have test some basic payloads to popup something. I also know how to get the “adminVisited = true”. So far so good. My problem is to get a working payload with a link to a script file on my host (with php -S ). Each time a get an 404 error: Cannot GET /app/delete/…
Please some hint for the right payload…
You’ve done well to get the adminVisited. That’s the most confusing part of this module. If I can nudge you, you shouldn’t be dealing with /app/delete (at least I didn’t). To finish now you just need to look at the XSS section in this module and recreate what you did before to get the CSRF token. Also, ignore the hint.
Thanks for your reply. Yes, I was wrong to use delete all the time for XSS. Now I know how to use it the right way> The only thing now, every time I ended up with the same session cookie (from Julie Rogers)…
