Upon arriving at the webpage, my instinctual response is to analyze the HTML structure by utilizing the "Inspect" functionality within my browser.
Page Source Code
This particular element caught my attention because it appears that the creator of the webpage has left behind a support account with its credentials embedded in a comment line. While it's not something you come across every day, it's not entirely unheard of either. At the bottom of the image, there's a comment that reads, "TODO: Remove this line, for maintenance purpose use this info (user:support password:x34245323)." Driven by my curiosity, I couldn't resist the temptation to immediately try out the provided credentials before exploring alternative avenues such as hidden fields, functions related to cookie generation, and conducting tests for XSS and SQL injection.As expected, the login worked flawlessly, and I was greeted with the following screen:
Support Successful Login Page
Since the rendered HTML doesn't offer any valuable information, I resort to my trusty tool, 'Inspect Element,' to see if I can stumble upon something intriguing. It dawns on me that since I'm already logged in, there should be a session cookie associated with my session. So, I navigate to the cookie section and, lo and behold, this is what I uncover:
Cookie inspection
As I explore further, I notice that the server has provided us with two cookies: PHPSESSID and role. Interestingly, the role cookie is in plain text, revealing the specific role assigned to us. In a moment of curiosity, a thought crosses my mind: "What if I manually modify my role from 'support' to 'admin'?" It turns out that achieving this is quite straightforward. All I need to do is edit the cookie stored on my browser's side and then resubmit it to the server.
Role Changed to admin
After quickly refreshing the page, the next screen greets me with the following content:
Flag
From this screen, it becomes evident that the backend server acknowledged and accepted our modified cookie, granting us administrative access to the website. As a result, the flag 'hiadminyouhavethepower' is unveiled, indicating our newfound authority.
