mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-22 03:53:03 +00:00
Create Lab 1.md
This commit is contained in:
parent
c313d03b22
commit
b967409673
1 changed files with 48 additions and 0 deletions
48
Portswigger/Insecure Deserialization/Lab 1.md
Normal file
48
Portswigger/Insecure Deserialization/Lab 1.md
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Portswigger Insecure Deserialization - Lab 1
|
||||
|
||||
## Modifying serialized objects
|
||||
|
||||
In this lab we need to modify the session cookie which is using serlialization through which we need to escalate our privileges to administrator user and then delete the carlos user
|
||||
|
||||
<img src="https://i.imgur.com/kaGspTX.png"/>
|
||||
|
||||
We can login with the credentials `wiener:peter`
|
||||
|
||||
<img src="https://i.imgur.com/dtALDtP.png"/>
|
||||
|
||||
After logging in we'll see the session token
|
||||
|
||||
<img src="https://i.imgur.com/3MbdElV.png"/>
|
||||
|
||||
```
|
||||
Tzo0OiJVc2VyIjoyOntzOjg6InVzZXJuYW1lIjtzOjY6IndpZW5lciI7czo1OiJhZG1pbiI7YjowO30%3d
|
||||
```
|
||||
|
||||
Which is base64 encoded, we can decode this, I used cyberchef
|
||||
|
||||
<img src="https://i.imgur.com/MUd4vTf.png"/>
|
||||
|
||||
Now to understand the serlized cookie
|
||||
|
||||
```
|
||||
O:4:"User":2:{s:8:"username";s:6:"wiener";s:5:"admin";b:0;}
|
||||
```
|
||||
|
||||
- `O:4` represents that `User` is a object of length 4, which has 2 attributes which are username and admin
|
||||
- `username` is a string of length `8`, which has the value `wiener` of length `6`
|
||||
- `admin` is a string with length `5` which has a boolean value which is represented by `b` having the value `0` which is false
|
||||
|
||||
So we need to make this value true with `b:1`
|
||||
|
||||
<img src="https://i.imgur.com/FDEpRNF.png"/>
|
||||
|
||||
<img src="https://i.imgur.com/gghSrSP.png"/>
|
||||
|
||||
After refreshing the page we'll see that we have access to admin panel
|
||||
|
||||
<img src="https://i.imgur.com/4cubhe2.png"/>
|
||||
|
||||
And we can delete carlos user and complete the lab
|
||||
|
||||
<img src="https://i.imgur.com/W9kXxaY.png"/>
|
||||
|
Loading…
Reference in a new issue