Back to list
CTFVery Easy

HackThisSite — Basic Mission 10

ducky
2026-05-19
24 views
1 min read

HackThisSite — Basic Mission 10

Reconnaissance

Submitted a random password → got:

You are not authorized to view this page

Opened DevTools → Storage → Cookies and spotted:

NameValue
level10_authorizedno

The entire access control decision is made client-side via a cookie value.

Exploitation

  1. Open DevTools → Storage → Cookies
  2. Find level10_authorized
  3. Change value from noyes
  4. Refresh the page

Congratz!

Root Cause

Authorization state stored in an unprotected, user-writable cookie. No server-side session validation — the server blindly trusts the cookie value.

Key Takeaway

Never store authorization decisions in client-side cookies without cryptographic signing (e.g. HMAC). Any cookie the user can edit must never control access to protected resources.

Tags

#hackthissite#Basic Mission 10#basic-mission-10

Keep Reading

Related writeups

CTFVery Easy

HackThisSite — Basic Mission 11

Apache directory listing is enabled and `.htaccess` is publicly readable — fuzzing reveals the hidden directory structure and leaks the password filename.

#hackthissite#Basic Mission 11#basic-mission-11
2026-05-19
ducky
26
2m
CTFVery Easy

HackThisSite — Basic Mission 9

No injection point in Level 9 itself — reuse Basic 8's SSI vulnerability with a traversal path pointing to Level 9's directory to expose the hidden password file.

#hackthissite#Basic Mission 9#basic-mission-9
2026-05-19
ducky
17
1m
CTFVery Easy

HackThisSite - Basic Mission 8

The name field saves input into a `.shtml` file processed by the server — injecting an SSI `exec` directive lists the directory and reveals the hidden password file.

#basic-mission-8#hackthissite#/missions/basic/8
2026-05-19
Ducky
17
1m