This lab uses a serialization-based session mechanism and is vulnerable to privilege escalation as a result. To solve the lab, edit the serialized object in the session cookie to exploit this vulnerability and gain administrative privileges. Then, delete Carlos's account.
You can log in to your own account using the following credentials: wiener:peter
Log in using your own credentials. Notice that the post-login GET / request contains a session cookie that appears to be URL and Base64-encoded. Send this request to Burp Repeater. Also, highlight the cookie value and, from the context menu, choose "Send to Decoder".
In Burp Decoder, select "Decode as" > "URL". On the new string, select "Decode as" > "Base64" to reveal that the cookie is a serialized PHP object.
Notice that the admin attribute contains b:0, indicating the boolean value false. Change this to b:1.
Select "Encode as" > "Base64", then "Encode as" > "URL". Copy the URL-encoded string to your clipboard.
In Burp Repeater, replace the session cookie with the modified one in your clipboard. Send the request.
Notice that the response contains a link to the admin panel at /admin.
Change the path of your request to /admin and resend it. Notice that the /admin page contains links to delete specific user accounts.
Change the path of your request to /admin/delete?username=carlos and send the request to solve the lab.
Want to track your progress and have a more personalized learning experience? (It's free!)
