egov

Prompt

Conduct a security audit on the egov login panel.

Scope: This challenge is limited to HTTPS in scope, please do not attack any other ports on this server.

Walk-Through

Web security involves understanding the interaction between servers and clients, typically web browsers like Chrome, Firefox, or Safari. It’s important to understand web communication before understanding web security, so please read the “Web Communication Fundamentals” page to get up to speed on the basics.

After understanding how websites communicate, the first step in analyzing a web application is reconnaissance —identifying pages with security features to exploit or data to leak. Examples of this could be a login page, admin panel or search page.

Advanced reconnaissance includes locating unintended public pages and reviewing JavaScript code.

In this challenge, the website only has a single page that is navigable from the user interface - a login form.

💻

All web-based challenges should be opened in a separate window to easily view the developer tools and to reduce confusion between resources on the Cyber Skyline website and the actual challenge website.

Guide

This guide will show examples using the Google Chrome developer tools. Developer tools are included in most modern browsers and provide access to data about the web page which is not easily accessible otherwise.

Developer tools also allow for the tampering of data stored by the website and manipulation of the code running in the browser.

By default, you should be able to access the developer tools by using the F12 button in the browser or by right-clicking somewhere on the page and selecting the “Inspect” or “Inspect Element” option.
By default, you should be able to access the developer tools by using the F12 button in the browser or by right-clicking somewhere on the page and selecting the “Inspect” or “Inspect Element” option.

From here, it is important to get a better understanding of how the page is working by analyzing any data being saved by the website in the browser (cookies, localstorage) as well as viewing any source code, particularly JavaScript.

Go to the “Application” tab on the top of developer tools and click on “Cookies” from the left menu that appears. If you haven’t submitted anything to the form yet, this section will be empty because the server hasn’t received a login request from your client. Try submitting anything you like.

In this challenge, there is a cookie called “admin” which indicates if the user is an admin or not. By default, this cookie is set to “false”.
In this challenge, there is a cookie called “admin” which indicates if the user is an admin or not. By default, this cookie is set to “false”.

To change the cookie to “true” look up the syntax for changing the value of cookies in JavaScript (JavaScript Cookies). Set the cookie to “true” using the “Console” tab. The cookie name is “admin” so be sure to use that as your input.

image

Verify the value has been changed.

image

Another way to change the cookie from ‘false’ to ‘true’ is to double click in the value section where it says ‘false’ and type in ‘true’.

Refresh the page to ensure that the changes stay. No noticeable change in the page indicates more must be to be done.

Analyzing the code for additional clues may be useful. This can be done directly in the developer console by going to the “Sources” tab. Alternatively, using “View Source” on the page can help identify what external scripts are being loaded on the page, but that is not necessary for this challenge.

There are a number of sources, however, the login.js script looks interesting. You can see that this script defines what happens when a login is successful or fails.

The
The login.js source indicates that users are redirected to /admin after a successful login.

The naming of the /admin page on line 7 indicates that this may be a sensitive page that has information of interest. Add /admin to the end of your page URL and see if we’re able to see anything.

Add “admin” to the end of the URL in your browser
Add “admin” to the end of the URL in your browser

If the cookie was changed correctly and the URL is changed, you will be brought to the admin panel and receive the flag!

The flag is dynamically generated. Each player will receive a different flag.
The flag is dynamically generated. Each player will receive a different flag.

Another solve path is to enter any password with ‘admin’ as the username in the webpage after changing the cookie to ‘true’. After submitting you’ll be brought to the page shown above.

Useful resources for this challenge:

  • JavaScript Cookies: https://www.w3schools.com/js/js_cookies.asp
  • Computer Fundamentals for Cybersecurity
  • Use the Tutorial Video below

Tutorial Video

Watch our Tutorial Video to learn more about web cookies and see a walkthrough of how to solve this challenge:

Cyber Skyline Live - Manipulating Web Cookies - March 3, 2022

In Cyber Skyline Live - Manipulating Web Cookies, you'll learn from Franz Payer, CEO of Cyber Skyline, about common security risks associated with browser cookies and manipulating a browser cookie to bypass security on a website. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.

www.youtube.com

Cyber Skyline Live - Manipulating Web Cookies - March 3, 2022

Questions

1. What is the flag obtained from logging in?

Open the egov webpage in a separate tab, then open the developer tools in your browser, run document.cookie = 'admin=true' to set the admin value to true in your cookies, and then add /admin to the end of the URL.

⚠️
The flag is randomly generated so the correct flag for you will be different.

©️ 2025 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.