Avatar

Labs / Hack the Cookie

  • Very Easy
  • Released 01 Apr 2025
The lab needs to be started first.
Need help to start?
Very Easy

Hack the Cookie - Walkthrough

A detailed step-by-step guide to solving the lab and capturing the flag.

Lab Overview

This lab introduces you to cookie manipulation techniques and how they can be used to bypass authentication mechanisms in web applications.

  • Platform: HackerDna
  • Lab Name: Hack the Cookie
  • Difficulty: Very Easy
  • Target URL: https://hack-the-cookie.tiiny.io
  • Objective: Manipulate cookies to gain admin access and retrieve the flag

Step 1: Exploring the Website

First, let's understand what we're working with by exploring the website and its authentication mechanism.

Accessing the Website

Navigate to the target URL using your web browser:

https://hack-the-cookie.tiiny.io

Upon visiting the site, you'll see a login form. Notice that the form already has credentials pre-filled:

  • Username: guest
  • Password: guest

These pre-filled credentials suggest that we're meant to use them as a starting point. In real-world scenarios, default or guest accounts often have limited access that we can leverage to gain more privileges.

Step 2: Logging in as Guest

Let's use the provided guest credentials to gain initial access to the system.

Login Process

  1. Verify that the username field contains "guest"
  2. Verify that the password field contains "guest"
  3. Click the "Login" button

After logging in, you should be redirected to an employee guest interface. This interface likely has limited functionality compared to what administrators can access.

When a web application authenticates a user, it often stores session information in cookies. These cookies are sent with each request to the server and determine what the user can access. By examining these cookies, we might find a way to elevate our privileges.

Step 3: Examining the Cookies

Now that we're logged in, let's examine the cookies that were set during the authentication process.

Accessing Browser Developer Tools

To view cookies in your browser:

  1. Right-click anywhere on the page
  2. Select "Inspect" or "Inspect Element"
  3. Navigate to the "Application" tab (in Chrome) or "Storage" tab (in Firefox)
  4. Expand "Cookies" in the left sidebar and select the website domain

Alternatively, you can use keyboard shortcuts:

  • Chrome: Press F12 to open Developer Tools, then go to Application → Cookies
  • Firefox: Press F12 to open Developer Tools, then go to Storage → Cookies

Identifying the Session Cookie

Looking at the cookies, we find one named user_session with the following value:

eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6Imd1ZXN0IiwiZW1haWwiOiJndWVzdEB0ZWNoY29ycC5sb2NhbCJ9

This long string looks encoded, and its name suggests it contains information about our user session. In web security testing, it's common to examine such values to understand how the application manages user sessions and permissions.

Step 4: Decoding the Cookie

The cookie value appears to be encoded, likely using Base64 encoding which is common for web applications. Let's decode it to see what information it contains.

Decoding Base64

There are several ways to decode Base64:

Method 1: Using an Online Tool
  1. Visit a Base64 decoder website like base64decode.org
  2. Paste the cookie value: eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6Imd1ZXN0IiwiZW1haWwiOiJndWVzdEB0ZWNoY29ycC5sb2NhbCJ9
  3. Click "Decode"
Method 2: Using Browser Console
  1. Open browser developer tools (F12)
  2. Go to the "Console" tab
  3. Enter this command and press Enter: 
    atob("eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6Imd1ZXN0IiwiZW1haWwiOiJndWVzdEB0ZWNoY29ycC5sb2NhbCJ9")
Method 3: Using Command Line

In a terminal or command prompt, run:

echo eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6Imd1ZXN0IiwiZW1haWwiOiJndWVzdEB0ZWNoY29ycC5sb2NhbCJ9 | base64 -d

Decoded Cookie Content

After decoding, we can see that the cookie contains a JSON object with user information:

{"user_id":1,"username":"guest","role":"guest","email":"guest@techcorp.local"}

This is a significant discovery! The cookie contains a role field set to guest, which likely determines what parts of the application we can access. If we could change this role to admin, we might gain administrative privileges.

Step 5: Modifying the Cookie

Now that we understand the cookie's structure, let's modify it to elevate our privileges from "guest" to "admin".

Changing the Role Value

We need to modify the JSON object by changing the role value from guest to admin:

{"user_id":1,"username":"guest","role":"admin","email":"guest@techcorp.local"}

Encoding the Modified JSON

Now we need to encode this modified JSON back to Base64:

Method 1: Using an Online Tool
  1. Visit a Base64 encoder website like base64encode.org
  2. Paste the modified JSON: {"user_id":1,"username":"guest","role":"admin","email":"guest@techcorp.local"}
  3. Click "Encode"
  4. The result should be: eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6ImFkbWluIiwiZW1haWwiOiJndWVzdEB0ZWNoY29ycC5sb2NhbCJ9
Method 2: Using Browser Console
  1. Open browser developer tools (F12)
  2. Go to the "Console" tab
  3. Enter this command and press Enter: 
    btoa('{"user_id":1,"username":"guest","role":"admin","email":"guest@techcorp.local"}')
Method 3: Using Command Line

In a terminal or command prompt, run:

echo -n '{"user_id":1,"username":"guest","role":"admin","email":"guest@techcorp.local"}' | base64

Step 6: Replacing the Cookie Value

Now we need to replace the original cookie value with our modified one.

Modifying the Cookie in Browser

  1. In the browser developer tools, go back to the "Application" tab (Chrome) or "Storage" tab (Firefox)
  2. Find the user_session cookie
  3. Double-click on its value to edit it
  4. Replace the value with our modified Base64 string: 
    eyJ1c2VyX2lkIjoxLCJ1c2VybmFtZSI6Imd1ZXN0Iiwicm9sZSI6ImFkbWluIiwiZW1haWwiOiJndWVzdEB0ZWNoY29ycC5sb2NhbCJ9
  5. Press Enter to save the change

Step 7: Accessing the Admin Interface

With our modified cookie in place, we need to refresh the page to see if our privilege escalation was successful.

Reloading the Page

Simply refresh the page by:

  • Pressing F5
  • Clicking the refresh button in your browser
  • Right-clicking and selecting "Reload"

After refreshing, the page should now display the admin interface instead of the guest interface. This confirms that our cookie manipulation was successful and we've elevated our privileges from guest to admin.

The admin interface should contain the flag we're looking for. It might be displayed prominently on the page or you might need to look around a bit to find it.

The flag will likely be in a UUID format, similar to:

12345678-abcd-1234-efgh-123456789012

Copy this flag exactly as shown - it's case-sensitive and includes all dashes.

Key Takeaways

This lab demonstrates several important web security concepts:

  • Client-side authorization is insecure: When access control is determined by values that users can modify (like cookies), it creates a significant security vulnerability.
  • Encoding is not encryption: Base64 encoding is easily reversible and should never be used to protect sensitive information.
  • Improper session management: Applications should validate user roles and permissions on the server side with each request, not rely solely on client-provided values.
  • Cookie security: Sensitive cookies should be protected with flags like HttpOnly and Secure, and their values should be cryptographically signed to prevent tampering.

Real-World Relevance: Cookie manipulation vulnerabilities are common in real-world applications. Developers sometimes store user roles or permissions directly in cookies without proper validation, allowing attackers to elevate their privileges by simply modifying cookie values.