Session Security - Skills Assessment

Anyone able to give me a nudge on how to complete the Session Security Skills Assessment? I am able to query the API endpoint (http://minilab.htb.net/submit-solution) and have the Target connect to my netcat listener or a hosted file, and I see a message indicating AdminVisited = True. So i suspect something like this is needed to find the admin auth-session. But when I use wireshark , the auth-session cookie is the same as when I just navigate to the login page.

Right now I am kind of at a loss as to how to proceed, so any hints would be much appreciated!

Edit: SOLVED! If anyone needs help feel free to DM me :slight_smile:

@jarednexgent, Hey I sent you a DM, but please disregard it. I just solved it. Kinda kicking myself for wasting so much time lol.

To anyone who is on the skills assessment and comes here struggling. Take a deep breath and stop overthinking it. I am gonna say right now that the hint was misleading as all ****. I went down some crazy rabbit holes for like 3 hours only to sleep on it and get it in less then 30 minutes today!

It was a good final assessment though. But, as always feel free to reach out.
-onthesauce

Could you hint me the road to flag? I have wasted on this assessment about a week

I wasted so much time trying to chain exploits together in stupid ways to get the admins profile to be visible. Only to realize, if the profile was visible, I still wouldn’t be able to find it because I didn’t know the email haha!

This is a good thought in the right direction. And should be hint enough. Since you don’t know the admin’s email address there is no point in replicating the XSS/CSRF lab. Find a way to compromise the admin session.

Which html tag in the payload do I need to use to refer to my host?

You can DM the payload you are using, but that doesn’t sound like the right payload to get the admins session.
-onthesauce

Step 1: Understand the endpoint
Step 2: Performing XSS attack to Session Hijacking to get the Admin’s cookie
Step 3: Replacing the Admin’s cookie to compromise the admin’s profile

3 Likes

Thx m8! :grinning: :smiley: :smile: :laughing: :laughing: :sweat_smile: :joy:

i did the same thing and it didn’t work

pls help!

@jydn879, use @Satellite’s advice.

1 Like

Try revisiting the Cross Site Scripting module “Session Hijacking” section. I used the exact same technique . You can do XSS on Julie’s profile page, and then use the API endpoint to make the admin visit her profile and steal the admin cookie.

2 Likes

wow the hint was pretty misleading

Haha right? I definitely could have done without the hint.

I’m in the same situation can you give me a hint i see the same message, i will probe get the cookie with XSS

Solved : I was being stupid and using incorrect payload.

I found the XSS. I tested got my own cookie, but I’m stuck. I did find this

image

And tried to generate a CSRF token but to no avail. Do I have to create the token or do I have to trigger something to get it?