|You are here|
Day 1 - Inventory Management
Elves needed a way to submit their inventory - have a web page where they submit their requests and the elf mcinventory can look at what others have submitted to approve their requests. It’s a busy time for mcinventory as elves are starting to put in their orders. mcinventory rushes into McElferson’s office.
I don’t know what to do. We need to get inventory going. Elves can log on but I can’t actually authorise people’s requests! How will the rest start manufacturing what they want.
McElferson calls you to take a look at the website to see if there’s anything you can do to help. Deploy the machine and access the website at
http://<your_machines_ip>:3000 - it can take up to 3 minutes for your machine to boot!
Supporting material for the challenge is here!
- First go to http://10.10.70.239:3000/register and create an account.
- Now login (http://10.10.70.239:3000/login)
- Fire up the developer bar to see the cookies
Let’s generate a few more accounts and get the value of the
|Account||Cookie||Decoded value (base64)|
The common part of these cookies is
After accessing his account, what did the user mcinventory request?
We notice that the
authid cookie is concatenating the user account with a static string. It is easy to guess what
mcinventory authentication cookie will be:
$ echo -n 'mcinventoryv4er9ll1!ss' | base64 bWNpbnZlbnRvcnl2NGVyOWxsMSFzcw==
Let’s log in with one of the previous accounts we have created, and replace the
authid cookie value with the one just above.
We can see that mcinventory requested a