CopyPasta

Our favorite code sharing platform is back with the hint BAC

After my usual playing around and clicking all the buttons, I went to BurpSuite and noticed that the session was organized by a cookie rather than a JWT. Interesting...

That %3D caught my eye, that's a =, could this be an URL encoded, Base64 string?

Well yes it does! And the Base64 decoded string looks like a md5-hash to me.

With hashcat -m 0 3bf1114a986ba87ed28fc1b5884fc2f8 rockyou.txt -d 1 I could crack the hash.

Well look at that, the hash is just my username!

So I went to CyberChef and tried something out.

That output should be the token of the admin right?

Yes, that is the token of the admin! Flag secured! 🇧🇪

PreviousCopyPasta NextOttergram

Last updated 1 month ago