We first logged in using the provided credentials with the “stay logged in” checkbox set:
Inspecting the cookies after login, we observed a stay-logged-in cookie set using Cookie Editor:
Using a hash identifier, we determined that the cookie value is Base64 encoded:
Decoding via CyberChef revealed the format username:hashedvalue:
We cracked the hash using CrackStation and saw that the password for the user is MD5 hashed and stored in the cookie.
We sent the request to Burp Repeater and applied payload processing rules: first MD5 hash the password, prefix with carlos:, then Base64 encode the whole string. Using a super attack with the loaded password list on the stay-logged-in cookie:
One response returned a 200 status code:
Copying the response to the browser gave us access to the Carlos account, successfully solving the lab:
