main page
colocated page
Looking through the source code, it looks like the main page looks a lot like previous levels. If $_SESSION["admin"] == 1, then you'll get to see the passphrase for the next level.
source code for main page
If we assume that sessions are shared across the two site (since they're co-located), then any changes we make to the session of a user on the secondary website should affect the session of a user on the main page too.
If we submit the form on the CSS editor page and intercept it with BURP, we can add additional POST parameters -- specifically the "admin=1" bit:
If we note down the PHPSESSID variable for this session, and submit a request as that user on the main page, the PHP script will give us the password to Natas 22!
No comments:
Post a Comment