This lab uses a serialization-based session mechanism and is vulnerable to authentication bypass as a result. To solve the lab, edit the serialized object in the session cookie to access the administrator account. Then, delete Carlos.
You can log in to your own account using the following credentials: wiener:peter
Hint
To access another user's account, you will need to exploit a quirk in how PHP compares data of different types.
Log in using your own credentials. URL-decode and Base64-decode the session cookie to reveal a serialized PHP object.
Change the username to administrator and update the length of the attribute to 13.
Change the access token to the integer 0. Remember to update the data type label by replacing s with i. The modified object should look like this: O:4:"User":2:{s:8:"username";s:13:"administrator";s:12:"access_token";i:0;}
Base64 and URL-encode the object. Copy the URL-encoded string to your clipboard.
In Burp Repeater, use your modified session cookie to access the administrator account and delete Carlos.
Want to track your progress and have a more personalized learning experience? (It's free!)
