Overview
In this web exploitation challenge, we are given access to a website that claims we need to be “admin” in order to view the flag.
Solution
Upon accessing the website, we’re greeted with a message saying “Access denied. This page is only available by administrators”. We can reasonably infer that in order to get to the flag, we’re going to need to become an administrator somehow. So how do we do that?
We aren’t given any source code for the website, so let’s start poking around the website and see what we can find. A great tool for doing this is our web browser’s developer tools, which can be accessed by pressing the F12
key. For this writeup, we will use Google Chrome’s DevTools
, though any modern browser should suffice.
Looking at the source HTML code of the webpage (via the Elements
or Sources
tab), there doesn’t seem to be anything that stands out, so let’s move on.
If we go to the Network
tab of our developer tools and try reloading the website, we can see details of the request we made to load the website and the response from the server. Looking through the response headers, we can see a very interesting one:
Set-Cookie: role=user; Path=/
Going to the Cookies
tab within the Network
tab confirms that there’s a cookie called “role” with the value “user”. Interesting, but what can we do with that? Well, browser developer tools have the ability to change the value of cookies that are stored in our web browser’s session. When we reload the page, we’ll send that cookie with its new value to the web server as part of the request to load the page (usually in the form of a request header with the cookie as its value).
To actually edit the values of cookies, we can go to the Application
tab of our developer tools, locate the Cookies
dropdown menu, and click on the adminportal website to see its cookies. Sure enough, the “role” cookie is there with its value set to “user”. By double-clicking on “user” we can edit the cookie’s value. Given that the challenge mentions having to be an admin, let’s try setting the cookie’s value to “admin”.
After making our changes, we can reload the site and view the result in our browser. The webpage should change to a welcome message, and we are presented with the flag:
MetaCTF{co0ki3_p0wer3d_p0rt4l}