The BodgeIT Store Series #6, Access Someone Else’s Basket – #bodgeit #infosec #pentest #appsec #webapp

Happy Hacking!

Today’s post is #6 in the BodgeIt Store series.

To view post #5 in the BodgeIt Store series click HERE.

The topic for today is to access someone else’s basket.

First, let’s go to the admin page, and notice the different basket ids:

bodgeit_new_admin

We see that for each user – there’s a corresponding basket id.

Let’s go to the Your Basket page. Going there we see the following:
bodgeit_new_your_basket

Let’s open Burp and see if our traffic will reveal anything to us.

After opening Burp, and clicking on the “Update Basket” button we see:

bodgeit_basketid_initial

Hmm.. we see there’s a cookie value of b_id. Could this possibly be basket id?

Let’s try changing the value from 8 to 0 (which is the admin basket).

bodgeit_basketid_admin_not_working

bodgeit_basketid_admin_not_working_basket

OK… we see that the basket has been updated and we received a system error. This let’s me know that admin basket didn’t work too good.

Let’s go back and try another basket id of 1 which is the user1 account.

bodgeit_basketid_initial

bodgeit_basketid_changed_value

bodgeit_basketid_final

OK, changing the basket from 8 to 1 (user1 account) we see that our basket has been updated to show the user1 basket.

Let’s go back to the scoring page and see if we have successfully solved the challenge.

bodgeit_scoring_8

We solved the challenge successfully!

InfoSec Institute CTF Challenge #4

Another day, another challenge…

Today’s challenge is #4 from the InfoSec Institute CTF challenge.

Going to the following link we see the following:

infosec_4_intro

Doing a right click view page source we see the following:

infosec_4_pagesource

Looking at the page we see the following hint – “Hypertext Transmission Protocol”

Pressing F12 to view the developer tools and going to the “Network” tab we see the following:

infosec_4_cookie

Inside the set-cookie we see “fusrodah=vasbfrp_syntvf_jrybirpbbxvrf”. This is interesting…

Doing a quick Google search and putting in the second half of our value we get the following link for ROT-13.

ROT-13 is a rotation 13 cipher. This cipher rotates each character by 13 characters.

Using the following site, and putting in our value we get:

infosec_4_final

We retrieved the flag.

Lessons learned:

Use the hints provided. We our trust right click, view page source, but that didn’t help us. Going back to the page we noticed that the hint was HTTP. Using the development tools inside Chrome and going to the network tab we saw the files retrieved when accessing the site.

Clicking on the page, and viewing the headers we noticed that the cookie was being set. Using this information inside Google we were able to decode the message.