salem987
3 years ago

2

Hello!

I am stuck with the secureus level. I have >> successfully injected some code to retrieve the admin cookie . The code works fine >> since I receive my own cookie in the server but I am not receiving the one from the admin. Should I just keep waiting? Or am I doing something wrong?

15replies
7voices
803views
mortfeus
3 years ago

2

Yes there is a problem on the level. We all waiting @flabbyrabbit to resolv it.

Luke [flabbyrabbit]
3 years ago

6

… 16 months later …

This should be fixed now. Go to: https://defendtheweb.net/extras/playground/secure-us/contact.php?view=1 or submit a new message to kick off the process ??

Reply has been removed
mortfeus
3 years ago | edited 3 years ago

1

@flabbyrabbit YES finally i got what i wanted, i change the value but when it seem to be completed it say “Level not found”. Maybe there is some Hackthis URL in the level.

Luke [flabbyrabbit]
3 years ago

1

Woop, progress. The link that redirected you back to the level was wrong. I’ve updated now if you can give it another try ??

mortfeus
3 years ago

1

Wait, can I PM you ?

Alexander Myasnikov [amyasnikov]
8 months ago | edited 8 months ago

1

I have the same problem.
I only receive my cookies but not the admin cookies.
Can you tell me if the problem is that the site is not working properly, or if I am on the wrong track…

I can send my decision in PM for review.


1

Thatis strange, I completed the challenge a few months ago. Are you perhaps using something obvious, like a visible redirect?

Alexander Myasnikov [amyasnikov]
8 months ago | edited 8 months ago

1

My attempts.

I wrote an [spoil]
Then when I open contact.php in a browser, it creates an http request of the form webhook.site/<uuid>?cookies=<cookies_in_base64> via tag <script>.

I expect the admin to open this page the same way and I get his cookies. Then by swapping the cookies I can login in as admin

[spoil]

🐉 [Cheerfulbull]
8 months ago

1

PM me. I think you’re on the right track, and at this rate we’re going to spoil the challenge for others.

thecyphervault
8 months ago

1

I think this level did something stupid for me, like putting my cookie session’s token and the one I am stealing within the same cookie. If you have done all of that the challenge should be finished.

nfm
7 months ago

1

Hello!

I believe I’m hitting the same problems here.

When I get the SecureSess and PHPSESSID I inject them on the browser, but it says “Session has expired, user logged out”.

How come the session is already expired? Am I missing any step?

nfm
7 months ago

1

Update:
Now the payload triggers once I input it on my browser, but not from the “admin” view. I don’t receive the SecureSess cookie.

🐉 [Cheerfulbull]
7 months ago

1

How stealthy is your payload?

nfm
7 months ago

1

it is quit stealthy. Can I paste it here?

🐉 [Cheerfulbull]
7 months ago

1

Can you PM me instead?

You must be logged in to reply to this discussion. Login
1 of 16

This site only uses cookies that are essential for the functionality of this website. Cookies are not used for tracking or marketing purposes.

By using our site, you acknowledge that you have read and understand our Privacy Policy, and Terms of Service.

Dismiss