A photograph of the author, Alex Kharouk

Alex Kharouk

Advent of Cyber: A Prequel

# Ho, ho, ho!

It's that time of year again, where resolutions are starting to formulate, our bad habits are being picked on (swearing we will stop them in the new year), and wonder where the hack did the year go?! For me, this festive season starts earlier than usual. With a kickstart in learning cybersecurity and hacking.

Using TryHackMe for a couple of years (more off than on), I really enjoy learning how to hack boxes. I think cybersecurity is uber important, and I believe is a software developer one needs to be able to secure their applications, websites, and themselves.

With that said, I'm too impatient to wait for December 1st, where the team at TryHackMe hosts their yearly 'Advent of Cyber'! I'm thinking.. and advent for the advent!

I'll be following along this room. From what I can see, you can do the challenges without a subscription to the platform, but you will need to set up the connection on your local machine yourself. That will require using OSS like openvpn, having access to the tools we might use, like nmap, and making sure you can connect to the boxes on offer, such as "Santa's Christmas Console".

## Day One - A Christmas Crisis

A malicious actor has decided to attack the Man himself.. Santa! Just some weeks before Christmas, it seems whoever or whatever is out to destroy the festive spirit knows their stuff.

Looks like the Assembly line is down, and we need to hack back into Santa's special admin account. He's the only one who can turn it back down, and without the assembly line, well... We musn't find out my friends.

A flashy elf by the name of McSkidy gives us an assignment that contains information on how the Internet (very briefly) works1, and some information on what is HTTP/S2. As we glazingly skim the dossier, we throw it to the side, because all we really want to do is hack!

The elf skitters towards the dossier, and reminds of another key thing. Cookies.

## Santa loves Cookies

For this first day challenge, we are investigating web exploitation, and dealing with cookies. In particular, we are looking at authorisation or session cookies, and how editing them could potentially lead to an escalation of privileges (if you have the Admin's auth cookie!). I see where this is going.. In order to save Christmas, we first must hack Santa ourselves, before we hack the coal-deserving abusers.

I visit the web page that holds the application. I see a login screen. I try santa and see the username is taken when registering for an account. I create my own account, and can log in. I am greeted with this:


As according to the dossier, I should investigate the cookies. I see one has been added when we registered an account:

auth: "...7b222...",
"expires/max-age": "Session",
// ...

The name of the cookie is auth, and the value looks like an encoded hexadecimal value (not so safe). We can easily decode the hexadecimal value to text and it looks like we get a JSON object:

"company": "The Best Festival Company",
"username": "myUsername"

It's recorded the name of Santa's company, as well as my username. Hmm, I wonder what happens if I encode to Hexadecimal a username that had a value of santa? I replace the username and get an encoded hex output. I edit the current cookie value, and refresh the page.

### Boom, I'm back in control.


There it is, our first flag of the festive season.