We participated in 29C3 CTF, here is writeup for
This website is some kind of password manager.
You can register new user, but cannot register "admin", which is needed to win flag. When you login, a cookie named "session" is created. Cookie looked like
Orange part is some static md5, uncrackable for me. Green part is your md5($username) and red is md5($ip).
It is obvious we could make cookie for admin user, but we didn't know IP. There was self-XSS which we tried to exploit (maybe admin read passwords, who knows ^^), but it didn't work. After few hours we finally got the solution - Apache status page. It was located onĀ http://18.104.22.168/server-status/, and from there we could get IP of user who requested /admin/ - it was 22.214.171.124
Now, to construct the final cookie;
static + md5("admin") + md5("126.96.36.199")