- Category: web
Challenge was available at
http://hypeman.shallweplayaga.me where we found a login form:
Clicking on Secrets link bring back to login so we tried to login as
ZeroOFFset, getting to this page:
So we tried to see admin secret but an error occurred:
The error told has we were facing a ruby web application built upon Rack and the debug was enabled.
Looking at the error report we found some interesting stuff:
Moreover a piece of app source was displayed:
Maybe we can change the cookie to
admin user and get through this error!
But it wasn’t so simple, the cookie was there, but it was encoded in some sort of base64 and an hash (the part after
Rack is an open source project so we looked for the source code handling the cookies, and we found it on github.
Looking at those sources we built this script that take the base64 encoded part of a cookie and creates a new one with
user_name set to
The secret needed to create the hash was displayed in plaintext in the debug report, as highlighted previously.
So we copied the cookie created by the application when we logged in as
ZeroOFFset, we replaced
<your cookie goes here> in the script above
with the base64 part of the cookie and we completely replaced the cookie with the one generated by the script.
And here it is the key!
Key FOUND: watch out for this Etdeksogav