Daemon Of Hacking
  • WELCOME!
    • 👋/home/usr/KruKnight
  • METHODOLOGIES & RESOURCES
    • Passwords & Attacks
    • Post Exploitation
      • 👀Situational Awareness
      • 🖥️Privilege Escalation
        • Linux Privilege Escalation
        • Windows Privilege Escalation
  • Writeups
    • CyCtf 2024
      • Vending Machine
      • Aerospace
      • OhMyCell
    • Portswigger Labs
      • Authentication
        • Username enumeration via different responses
        • 2FA simple bypass
        • Password reset broken logic
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken Brute-Force Protection, IP Block
        • Username enumeration via account lock
        • 2FA broken logic
        • Brute-forcing a stay-logged-in cookie
        • Offline password cracking
        • Password reset poisoning via middleware
        • Password brute-force via password change
        • Broken brute-force protection, multiple credentials per request
      • Os Command Injection
        • OS command injection, simple case
        • Blind OS command injection with time delays
        • Blind OS command injection with output redirection
        • Blind OS command injection with out-of-band interaction
        • Blind OS command injection with out-of-band data exfiltration
      • Cross-Origin Resource Sharing (CORS)
        • CORS vulnerability with basic origin reflection
        • CORS vulnerability with trusted null origin
        • CORS vulnerability with trusted insecure protocols
      • Server-side template injection
        • Basic server-side template injection
        • Basic server-side template injection (code context)
      • Server-Side Request Forgery (SSRF)
        • Basic SSRF against the local server
        • Basic SSRF against another back-end
        • Blind SSRF with out-of-band detection
        • SSRF with blacklist-based input filter
        • SSRF with filter bypass via open redirection vulnerability
      • Path Traversal
  • 🟩HTB Writeups
    • Heal
Powered by GitBook
On this page
  • Lab Description
  • Walkthrough
  • Step 1: Initial Observations
  • Step 2: Analyzing the Token
  • Step 3: Targeting the Victim
  • Step 4: Automating the Attack
  • Step 5: Analyzing Results
  • Step 6: Cracking Carlos's Password (For Confirmation)

Was this helpful?

  1. Writeups
  2. Portswigger Labs
  3. Authentication

Brute-forcing a stay-logged-in cookie

Previous2FA broken logicNextOffline password cracking

Last updated 5 months ago

Was this helpful?

Lab Description

Walkthrough

Step 1: Initial Observations

Upon accessing the login page we find that there's a stay logged in checker

When logging in as the user wiener with the password peter, I checked the "Stay logged in" option.

After successfully logging in, I observed the following in the GET request:

  • A cookie named stay-logged-in was present:

stay-logged-in=d2llbmVyOjUxZGMzNDdkYzQ3ZDQzYTYwMTFlOWViYmJhNmNhNzcw

This token appeared Base64 encoded, so I decoded it to see its contents.

Step 2: Analyzing the Token

Decoding the stay-logged-in token with Base64 gave the following result:

From this, I identified:

  • wiener is the username.

  • 51dc30ddc473d43a6011e9ebba6ca770 is an MD5 hash.

To confirm, I cracked the hash using an online MD5 cracker, and the plaintext was:

The token follows a predictable pattern:

Base64(username:MD5(password))

Step 3: Targeting the Victim

The goal is to access Carlos's account using this flaw. Since I know the token structure, I need to:

  1. Generate carlos:MD5(password) for each password in the candidate password list.

  2. Encode the result with Base64.

  3. Replace the token in the cookie and send the request to identify the correct password.

Step 4: Automating the Attack

To automate this, I used Burp Suite Intruder.

  1. Sending the Request to Intruder:

    • I sent the GET request (containing the stay-logged-in cookie) to Burp Suite Intruder.

    • I highlighted the stay-logged-in token for brute-forcing.

  2. Configuring Payloads:

    • I loaded the candidate password list as my payload source.

    • In the Payload Processing section, I added the following rules to generate the required token format:

      • Rule 1: Hash each password using MD5.

      • Rule 2: Add the prefix carlos: to the hashed value.

      • Rule 3: Encode the result using Base64.

Example Transofrmation

Password: 123456

MD5 Hash: e10adc3949ba59abbe56e057f20f883e

After Prefix: carlos:e10adc3949ba59abbe56e057f20f883e

Base64: Y2FybG9zOmUxMGFkYzM5NDliYzU5YWJiZTU2ZTA1ZjIwZjg4M2U=

Running the Attack:

  • I started the Intruder attack and monitored the response status codes.

Step 5: Analyzing Results

Among the responses, I identified a request with a 200 OK status code, indicating the correct password was found. The payload looked like this:

Requesting in Browser (Original Session): To verify the token and log in as Carlos, I selected the successful request with the 200 OK status code. Using Burp Suite's Request in Browser feature:

  1. Right-click on the successful request.

  2. Choose Request in browser > In original session.

This action sends the request in my active browser session, and as a result, I successfully accessed Carlos's account page:

Step 6: Cracking Carlos's Password (For Confirmation)

To confirm Carlos's password, I extracted the stay-logged-in token from the request payload and decoded it using BASE64. This revealed the following format: