Brute-forcing a stay-logged-in cookie

Lab Description

Walkthrough

Step 1: Initial Observations

Upon accessing the login page we find that there's a stay logged in checker

When logging in as the user wiener with the password peter, I checked the "Stay logged in" option.

After successfully logging in, I observed the following in the GET request:

  • A cookie named stay-logged-in was present:

stay-logged-in=d2llbmVyOjUxZGMzNDdkYzQ3ZDQzYTYwMTFlOWViYmJhNmNhNzcw

This token appeared Base64 encoded, so I decoded it to see its contents.

Step 2: Analyzing the Token

Decoding the stay-logged-in token with Base64 gave the following result:

From this, I identified:

  • wiener is the username.

  • 51dc30ddc473d43a6011e9ebba6ca770 is an MD5 hash.

To confirm, I cracked the hash using an online MD5 cracker, and the plaintext was:

The token follows a predictable pattern:

Base64(username:MD5(password))

Step 3: Targeting the Victim

The goal is to access Carlos's account using this flaw. Since I know the token structure, I need to:

  1. Generate carlos:MD5(password) for each password in the candidate password list.

  2. Encode the result with Base64.

  3. Replace the token in the cookie and send the request to identify the correct password.

Step 4: Automating the Attack

To automate this, I used Burp Suite Intruder.

  1. Sending the Request to Intruder:

    • I sent the GET request (containing the stay-logged-in cookie) to Burp Suite Intruder.

    • I highlighted the stay-logged-in token for brute-forcing.

  2. Configuring Payloads:

    • I loaded the candidate password list as my payload source.

    • In the Payload Processing section, I added the following rules to generate the required token format:

      • Rule 1: Hash each password using MD5.

      • Rule 2: Add the prefix carlos: to the hashed value.

      • Rule 3: Encode the result using Base64.

Example Transofrmation

Password: 123456

MD5 Hash: e10adc3949ba59abbe56e057f20f883e

After Prefix: carlos:e10adc3949ba59abbe56e057f20f883e

Base64: Y2FybG9zOmUxMGFkYzM5NDliYzU5YWJiZTU2ZTA1ZjIwZjg4M2U=

Running the Attack:

  • I started the Intruder attack and monitored the response status codes.

Step 5: Analyzing Results

Among the responses, I identified a request with a 200 OK status code, indicating the correct password was found. The payload looked like this:

Requesting in Browser (Original Session): To verify the token and log in as Carlos, I selected the successful request with the 200 OK status code. Using Burp Suite's Request in Browser feature:

  1. Right-click on the successful request.

  2. Choose Request in browser > In original session.

This action sends the request in my active browser session, and as a result, I successfully accessed Carlos's account page:

Step 6: Cracking Carlos's Password (For Confirmation)

To confirm Carlos's password, I extracted the stay-logged-in token from the request payload and decoded it using BASE64. This revealed the following format:

Previous2FA broken logicNextOffline password cracking

Last updated

Was this helpful?