By clicking on continue as a guest, I got the following page:
Guest Home
As the title of the challenge suggests, I decided to inspect the cookies using ChromeDevTools:
Cookies
As we can see, we have a PHPSESSID, which are the standard session cookies for PHP, indicating that the user has an active session, and then we have isAdmin set to 0, which indicates whether the user with the active session is an admin or not. Since the value 0 equals False in boolean logic, it’s highly likely that setting this value to 1 will result in True, thus granting admin access (privileged user).
๐ฏ Solution Path
Exploitation Steps
Initial setup
To modify the cookies, you need to open the Application tab in the DeveloperTools (CTRL+SHIFT+I), then go to the Cookie section. By double-clicking on the value of the cookie, you can modify it. After making the changes, simply refresh the page with F5, and the new cookies will be automatically applied.
Exploitation
I simply followed the procedure I just described, setting isAdmin=1, and after refreshing the page, I obtained the flag.
Flag capture
Manual Flag
๐ ๏ธ Exploitation Process
Approach
L’exploit automatico fa una richiesta GET (con una sessione) alla pagina per estrapolare i cookies, dopodichรจ il modifica settando isAdmin=1 e fa un ulteriore richiesta GET per estrarre la flag dalla risposta tramite una regex.
