Skein
A small knitting and textile-crafts community where everyone is signed in for thirty days at a time. The "What we remember about you" panel is unusually transparent.
The Scenario
Skein is a volunteer-moderated forum for spinners, knitters and quilt-makers. Members hate logging in every time they swap a colourway, so the "Keep me signed in for 30 days" checkbox is on by default. The head moderator, who manages a small army of fibre-fest organisers, picked a memorable password back when the forum was just three friends and a Google sheet.
Challenge Intel
Synopsis
The "Keep me signed in" feature stores a reversible-structure cookie containing the username and an md5 of the password. The /account page openly displays the decoded structure as a transparency feature. There is no rate limit on the cookie verification path.
What It Is
On login with the "Keep me signed in" box ticked, the server issues an rmbr cookie of the form base64(username + ":" + md5_hex(password)). On every authenticated request, the server decodes the cookie, splits on ":", looks up the user row by username, and compares md5(user.password) computed fresh against the hash in the cookie. The /account page renders the decoded structure to the logged-in user as a "What we remember about you" feature, advertising the format. The /members page exposes the head moderator's username (loomweaver) via a "Head Moderator" badge. Their password is a top-50 rockyou candidate (password123). The flag is rendered as a "Reconciliation reference" mono pill inside /admin/moderation, accessible to any user resolved as role=admin. With no rate limit, the player forges the cookie and brute-forces the password against /admin/moderation.
Who It's For
Junior Web Hacker path capstone. Players who have completed an easy auth challenge and are ready for a realistic stay-logged-in cookie attack modelled on PortSwigger's well-known lab.
Skills You'll Practice
- Decoding a base64 stay-logged-in cookie
- Identifying a reversible cookie structure from a UX disclosure
- Forging an authentication cookie from a known username + wordlist
- Brute-forcing without rate limiting using a small rockyou subset
What You'll Gain
- Persistent-login cookies must use an opaque server-issued token, never an encoding of credentials
- Transparency UX (showing users what's in their cookie) can leak the cookie shape to attackers
- Any authenticated path must have rate limiting, especially fallback cookie verification