Session Security - Skills Assessment

Anyone able to give me a nudge on how to complete the Session Security Skills Assessment? I am able to query the API endpoint ( and have the Target connect to my netcat listener or a hosted file, and I see a message indicating AdminVisited = True. So i suspect something like this is needed to find the admin auth-session. But when I use wireshark , the auth-session cookie is the same as when I just navigate to the login page.

Right now I am kind of at a loss as to how to proceed, so any hints would be much appreciated!

Edit: SOLVED! If anyone needs help feel free to DM me :slight_smile:

@jarednexgent, Hey I sent you a DM, but please disregard it. I just solved it. Kinda kicking myself for wasting so much time lol.

To anyone who is on the skills assessment and comes here struggling. Take a deep breath and stop overthinking it. I am gonna say right now that the hint was misleading as all ****. I went down some crazy rabbit holes for like 3 hours only to sleep on it and get it in less then 30 minutes today!

It was a good final assessment though. But, as always feel free to reach out.

1 Like

Could you hint me the road to flag? I have wasted on this assessment about a week

I wasted so much time trying to chain exploits together in stupid ways to get the admins profile to be visible. Only to realize, if the profile was visible, I still wouldn’t be able to find it because I didn’t know the email haha!

This is a good thought in the right direction. And should be hint enough. Since you don’t know the admin’s email address there is no point in replicating the XSS/CSRF lab. Find a way to compromise the admin session.

Which html tag in the payload do I need to use to refer to my host?

You can DM the payload you are using, but that doesn’t sound like the right payload to get the admins session.

Step 1: Understand the endpoint
Step 2: Performing XSS attack to Session Hijacking to get the Admin’s cookie
Step 3: Replacing the Admin’s cookie to compromise the admin’s profile


Thx m8! :grinning: :smiley: :smile: :laughing: :laughing: :sweat_smile: :joy:

i did the same thing and it didn’t work

pls help!

@jydn879, use @Satellite’s advice.

1 Like

Try revisiting the Cross Site Scripting module “Session Hijacking” section. I used the exact same technique . You can do XSS on Julie’s profile page, and then use the API endpoint to make the admin visit her profile and steal the admin cookie.


wow the hint was pretty misleading

Haha right? I definitely could have done without the hint.

I’m in the same situation can you give me a hint i see the same message, i will probe get the cookie with XSS

Solved : I was being stupid and using incorrect payload.

I found the XSS. I tested got my own cookie, but I’m stuck. I did find this


And tried to generate a CSRF token but to no avail. Do I have to create the token or do I have to trigger something to get it?

i agree with the overthinking part. I feel like the module content was different than the other ones. This one felt a little bit unrefined and unfocused, so it gives you the impression that the skills assessment is harder than it really is.

some high level tips

  • identify the session identifier
  • identify the vulnerability on the form
  • once the vulnerability gives you what you need, how do you “feed” it to others? and how do you “catch it” back?
    (hint: if you are thinking other “end users” will “trip over” your payload…think again…this is where i got stuck)
  • that random API endpoint in the scope feels CTF’y but it’s an important part of the exercise, once you got an answer from it, the rest falls apart

I just wrapped this module. I had help from a friend because I was getting close, but was just not close enough to figure it out completely. This was a rough one. Hit me up if you are stuck.


1 Like

Hello, I’m struggling for quite a long time (> 5 days) now to finish this challenge. I know (I think) the vulnerability field and action for XSS exploit and have test some basic payloads to popup something. I also know how to get the “adminVisited = true”. So far so good. My problem is to get a working payload with a link to a script file on my host (with php -S ). Each time a get an 404 error: Cannot GET /app/delete/…
Please some hint for the right payload…

You’ve done well to get the adminVisited. That’s the most confusing part of this module. If I can nudge you, you shouldn’t be dealing with /app/delete (at least I didn’t). To finish now you just need to look at the XSS section in this module and recreate what you did before to get the CSRF token. Also, ignore the hint.