Flash CTF – Admin Portal

Overview

In this web exploitation challenge, we are given access to a website that claims we need to be “admin” in order to view the flag.

Solution

Upon accessing the website, we’re greeted with a message saying “Access denied. This page is only available by administrators”. We can reasonably infer that in order to get to the flag, we’re going to need to become an administrator somehow. So how do we do that?

We aren’t given any source code for the website, so let’s start poking around the website and see what we can find. A great tool for doing this is our web browser’s developer tools, which can be accessed by pressing the F12 key. For this writeup, we will use Google Chrome’s DevTools, though any modern browser should suffice.

Looking at the source HTML code of the webpage (via the Elements or Sources tab), there doesn’t seem to be anything that stands out, so let’s move on.

If we go to the Network tab of our developer tools and try reloading the website, we can see details of the request we made to load the website and the response from the server. Looking through the response headers, we can see a very interesting one:

Set-Cookie: role=user; Path=/

Going to the Cookies tab within the Network tab confirms that there’s a cookie called “role” with the value “user”. Interesting, but what can we do with that? Well, browser developer tools have the ability to change the value of cookies that are stored in our web browser’s session. When we reload the page, we’ll send that cookie with its new value to the web server as part of the request to load the page (usually in the form of a request header with the cookie as its value).

To actually edit the values of cookies, we can go to the Application tab of our developer tools, locate the Cookies dropdown menu, and click on the adminportal website to see its cookies. Sure enough, the “role” cookie is there with its value set to “user”. By double-clicking on “user” we can edit the cookie’s value. Given that the challenge mentions having to be an admin, let’s try setting the cookie’s value to “admin”.

After making our changes, we can reload the site and view the result in our browser. The webpage should change to a welcome message, and we are presented with the flag:

MetaCTF{co0ki3_p0wer3d_p0rt4l}