Skip to content

AoC3 Day 2: Cookie Manipulation

    If you are new to TryHackMe, I recommend checking out their Tutorial room to see how the platform works and how you can access the target machine(s). I also highly recommend using your own “attack box”, be it a Kali, Parrot, or some other pentesting oriented Linux distro (in the form of a VM), as opposed to the browser based solution TryHackMe provides. I’ve found that the browser based VM is a lot slower, though others seem to have no issues with it. The only thing using your own attack VM entails is connecting it to THM’s network through VPN, but this is incredibly easy as TryHackMe will supply you with your own OpenVPN configuration file and is outlined below.

    Types of Challenges

    The TryHackMe platform has multiple types of challenges, each potentially having its own requirements for accessing and completing it. You can identify the type of challenge by looking at the icon on the right-hand side of the collapsible bar for that particular challenge:

    Challenges using the “server rack” icon include the use of a deployable machine, and are the most common. Pressing the “Start Machine” button will launch a virtual machine that you have two ways of accessing: using THM’s “attack box”, found at the top of your browser window:

    Or, you can instead opt to use your own virtual machine connected to the THM network, which is done (on Linux) by clicking your user icon, “Access”, and then “Download My Configuration File”.

    Clicking “Save File”

    And by running the following command in a terminal (I might suggest you move the download to another folder, such as “Documents”):

    Once you see “Initialization Sequence Completed”, you’ll know you’ve successfully connected to THM’s network. Keep this terminal window open (you can minimize it, however). Return to it and press “Ctrl” + “C” twice once you are ready to disconnect.

    After you’ve chosen between THM’s attack box or your own virtual machine, you’ll need the IP address of the target machine, which is what was deployed earlier with the green “Start Machine” button. That information can be seen in a banner at the top of your browser window, or in more detail at the top of the page:

    In many cases you’ll be copying that IP address into your attack box/VM’s browser’s address bar, but in other cases you might be accessing it through SSH, RDP, etc. You’ll notice that you can add time to it if needed, or terminate it if you finish early – opening up more resources for other THM users.

    Challenges using the “browser” icon will require interaction with a simulated website that can be accessed by pressing the “View Site” seen after expanding the challenge. These challenges will need to be completed from within your browser, and cannot be accessed through a VPN on your own machine due to the fact that they are not true websites.

    Challenges with the “download” icon include files – in many cases packet captures (pcaps) or log files to be parsed through using a specific type of software. Where you would like to do this examining is up to you, but you will not be able to use one of TryHackMe’s machines. For examining something like a .pcap file, you will want to install Wireshark on one of your own computers or VMs.

    Challenges without an icon focus on either reading material and answering questions, or will include a link to a publicly accessible website that doesn’t require connection to THM’s network, and therefore can be completed from any computer you choose.

    TryHackMe; Advent of Cyber 3; Day 2 Walkthrough

    Day 2’s event is all about cookies, and the ways they can be manipulated or otherwise exploited for the purposes of an attacker.

    After we’ve connected to the VPN or initialized TryHackMe’s attack box, we’ll want to access the target machine’s webpage by typing in the IP in our address bar. Once the login page has loaded, we will supply it with some throwaway credentials.

    This should bring us to an error page, after which we can press “F12” to pull up the developer tools. I will be using Firefox, so while your interface and shortcuts may differ if using Chrome or another browser, the concepts will be the same. Once in the developer tools, we will navigate to “Storage” and then expand the “Cookies” section.

    Here we can see a cookie labeled “user-auth“, which we can deduce is associated with our attempted account creation. Looking at the value stored in the cookie indicates that it might be encoded in hexadecimal, considering it is comprised entirely of numbers and the letters “A” through “F”.

    We can validate this using any number of tools, but I chose to use a browser-based hexadecimal to text converter, called Cryptii.

    Now we can see the format of the data contained the cookie itself, which appears to be JSON. If you are not yet familiar with the layout of JSON (JavaScript Object Notation), we can recognize it by its use of attribute-value pairs enclosed in curly brackets.

    Another example of JSON

    Now that we understand the structure of the cookies used by this web app, we can change the value of the “username” attribute to “admin”, encode it back into Base64, and use that new cookie to replace the one currently stored in our browser.

    You might find that some of these online tools will use a space as a delimiter when converting from plaintext back to hexadecimal, because that’s how hexadecimal is commonly represented – especially in things like hex editors. You can see what I mean below, after I had changed the username attribute to “admin”.

    To remedy this, we’ll want to change “Group By” from “Byte” to “None”. The encoded string we produced will be the administrator cookie.

    After we’ve done that, we can copy the hexadecimal encoded text from whichever tool you may be using back over to our window on the target machine’s web page, replacing the value that used to be there.

    Now, refresh your browser using the button or the “F5” key. In my case this worked, but others had to make sure and do a hard refresh (ignoring what’s in your cache) by pressing Ctrl + F5.

    Now that we are logged in as the administrator account, we have the information we need to complete the room – namely, what team environment is not responding and what team environment has a network warning.