> For the complete documentation index, see [llms.txt](https://shadowforge.gitbook.io/shadowforge-writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shadowforge.gitbook.io/shadowforge-writeups/bugforge.io/readme.txt/daily-labs/brute-force/gift-list.md).

# Gift List

> This was the second time yours truly had the chance to host a lab on Bugforge, this time there was a cookie that needed some ***brute forcing***.

When we log in, the first obvious thing that we see is that the server hands out *adminAccessTokens*. Strange, but ok, why not.

<figure><img src="/files/z8ALK8XxJYPjQBSsVdl7" alt=""><figcaption></figcaption></figure>

Considering there is an *adminAccessToken*, that must mean that there is an admin endpoint right?

Best what we now can do is fuzz the application.

<figure><img src="/files/rzdrRlKjiXgqGWjA0lhB" alt=""><figcaption></figcaption></figure>

That's why `/admin` didn't work, the endpoint is `/administrator`, unfortunately, we get an access denied. When we go to the frontend, we'll see what we feared, the *adminAccessToken* isn't good. Now let's investigate that token. We send the login request to `Sequencer` and let it do it's magic.

<figure><img src="/files/l4cTunry4IwEumxr8lIZ" alt=""><figcaption></figcaption></figure>

Sequencer tells us that only the three last characters change, and if we check this manually, this pans out. So now we go to Intruder and Brute Force the token.<br>

<figure><img src="/files/i1iHgaMWkruFGbt5PK5l" alt=""><figcaption></figcaption></figure>

With the brute force, you'll see that on suffix `rls` you get a different response length.

When we now put that *adminAccessToken* in our cookies and refresh the page.

<figure><img src="/files/YhtoWo9QNt85Z7egd3aT" alt=""><figcaption></figcaption></figure>

We get the flag 🇧🇪
