Session Hijacking

MEYYIT · March 1, 2025, 3:03pm

What have you tried:Session Hijacking

What is the error:Phpinfo.php

What device is this on:Kali Linux

Hello, my problem is related to capture the flag. Actually, I don’t have any problems with the system in Kali Linux. I think the target vulnerability is Session Hijacking and we need to do it the hard way. I can’t solve it for 48 days. Is there anyone who can help me with this?

Fred · March 2, 2025, 4:44am

Hack the box has good guides, and if you look on youtube you’ll find videso posted by ipsec who is the creator of lots of capture the flag problems. The videos cover older boxes that have normally been retired from the main platform, but it the process you are learning, not specific boxes.

Its great that you have struggled with it for 48 days, that shows the right kind of mindset to not give up, as offsec say, try harder, but I appreciate that sometimes its nice to have a few pointers.

another good platform apart from hack the box is the OWASP foundation;

MEYYIT · March 7, 2025, 5:55pm

Thank you for your interest, but I need to give some details. The problem I am facing is that the “phpinfo.php” file is open in the directories and HttpCookie is open here, it needs to be manipulated, but I could not write the correct code for it or there is an error in my system, I can give more details if you want.

Fred · March 13, 2025, 8:49pm

You don’t need to give me any details, you need to learn some more…
some simple session hijacks can be done in the browser using the developer tools, or you can use tools like burp suite to capture and manipulate cookies etc;

MEYYIT · April 8, 2025, 3:13pm

Yes, I did. Thank you for your interest and concern. I was able to solve it after 63 days.

denartha · April 8, 2025, 3:29pm

Well done! As a matter of interest, which lab was it?

Fred · April 9, 2025, 6:49pm

Well done!
You have the right ethic, keep at it until you find a way, as Offsec say, ‘try harder’

Fred · May 20, 2025, 1:16am

Have a look at the official docs;

manhtuan · June 13, 2025, 5:57am

ngài có thể bày cho tôi cách vượt qua waf ko tôi đau đầu vì nó quá thưa ngài @Fred

denartha · June 13, 2025, 1:04pm

The official language of this forum is English. You wont get any help in Vietnamese. Also, don’t tag individual posters.
Also it’s ironic you are asking about session hijacking in another users thread. Don’t hijack other peoples threads.

When asking any kind of question give as much detail as possible. The name of the WAF would be a start. We are not psychic.

Fred · June 13, 2025, 2:53pm

like any service, a WAF can be outdated so may have vulnerabilities. Learn about subjects like XSS and request forgery smuggling.