Brute-forcing a stay-logged-in cookie

Lab Description

Walkthrough

Step 1: Initial Observations

Upon accessing the login page we find that there's a stay logged in checker

When logging in as the user wiener with the password peter, I checked the "Stay logged in" option.

After successfully logging in, I observed the following in the GET request:

A cookie named stay-logged-in was present:

stay-logged-in=d2llbmVyOjUxZGMzNDdkYzQ3ZDQzYTYwMTFlOWViYmJhNmNhNzcw

This token appeared Base64 encoded, so I decoded it to see its contents.

Step 2: Analyzing the Token

Decoding the stay-logged-in token with Base64 gave the following result:

From this, I identified:

wiener is the username.
51dc30ddc473d43a6011e9ebba6ca770 is an MD5 hash.

To confirm, I cracked the hash using an online MD5 cracker, and the plaintext was:

The token follows a predictable pattern:

Base64(username:MD5(password))

Step 3: Targeting the Victim

The goal is to access Carlos's account using this flaw. Since I know the token structure, I need to:

Generate carlos:MD5(password) for each password in the candidate password list.
Encode the result with Base64.
Replace the token in the cookie and send the request to identify the correct password.

Step 4: Automating the Attack

To automate this, I used Burp Suite Intruder.

Sending the Request to Intruder:
- I sent the GET request (containing the stay-logged-in cookie) to Burp Suite Intruder.
- I highlighted the stay-logged-in token for brute-forcing.
Configuring Payloads:
- I loaded the candidate password list as my payload source.
- In the Payload Processing section, I added the following rules to generate the required token format:
  - Rule 1: Hash each password using MD5.
  - Rule 2: Add the prefix carlos: to the hashed value.
  - Rule 3: Encode the result using Base64.

Example Transofrmation

Password: 123456

MD5 Hash: e10adc3949ba59abbe56e057f20f883e

After Prefix: carlos:e10adc3949ba59abbe56e057f20f883e

Base64: Y2FybG9zOmUxMGFkYzM5NDliYzU5YWJiZTU2ZTA1ZjIwZjg4M2U=

Running the Attack:

I started the Intruder attack and monitored the response status codes.

Step 5: Analyzing Results

Among the responses, I identified a request with a 200 OK status code, indicating the correct password was found. The payload looked like this:

Requesting in Browser (Original Session): To verify the token and log in as Carlos, I selected the successful request with the 200 OK status code. Using Burp Suite's Request in Browser feature:

Right-click on the successful request.
Choose Request in browser > In original session.

This action sends the request in my active browser session, and as a result, I successfully accessed Carlos's account page:

Step 6: Cracking Carlos's Password (For Confirmation)

To confirm Carlos's password, I extracted the stay-logged-in token from the request payload and decoded it using BASE64. This revealed the following format:

Previous2FA broken logic NextOffline password cracking

Last updated 1 year ago

hashtagLab Description

hashtagWalkthrough

hashtagStep 1: Initial Observations

hashtagStep 2: Analyzing the Token

hashtagStep 3: Targeting the Victim

hashtagStep 4: Automating the Attack

hashtagStep 5: Analyzing Results

hashtagRequesting in Browser (Original Session): To verify the token and log in as Carlos, I selected the successful request with the 200 OK status code. Using Burp Suite's Request in Browser feature:

hashtagStep 6: Cracking Carlos's Password (For Confirmation)