Changing Client Cookie – Hack The Admin User (Mutillidae: Level Low)


Hello Cyberman,

The content of this article will be on changing and stealing browser cookie information for the session. 

I would like to say that it is not a common web vulnerability… But it can still happen.


First of all, they will be used for this type of vulnerability:

 The above click for download.

What is Metasploit Table?

It is a vulnerable machine and an operating system that contains different websites and various vulnerabilities.

What is Firefox Browser?

It is a very popular browser. This browser is not required, but a developer plug-in is required.

What is VMWare Workstation Player?

 It is a program designed to enable working with a virtual machine. 

Installation And Preparation.

  • Install Firefox.
  • Install vmware.
  • And install the Metasploit files you downloaded by selecting them from the “Open Virtual Machine” tab.

If everything is ok, let’s get started!

When we log in to Metasploit, an image like the picture above will appear. And type  the “ifconfig” on terminal for learning system IP Address.

 Yes, My system ip address: And yours system ip address maybe different

Now let’s open the browser and enter the ip address in the URL field.

The website will appear. Let’s click on “Mutillidae” from the list.

As can be seen in the picture above, our site that hosts various web vulnerabilities will be seen.

As seen in the picture above, it says that there is no user login in the red area.
Let’s click on the marked area in the yellow area and create a user record. And on the page that opens, fill in the green areas and fill in the user information.

Now let’s login with the user. I created a user named “S4M” but he is not admin.

I logged in with the user “S4M” as seen in the picture above.
Let’s press the “f12” key to open the developer options to see what is saving or pulling in the “cookie” (Info: This article language Turkish: Click for detailed information about cookie information. ) information in my browser.

Click on “Storage” in the red area as seen in the picture above.

Let’s click on the red area as seen in the picture above and open the cookies. The parts that appear in the green area are the cookie information left by this site in your browser.

A website can track cookies in the client computer’s browser.
However, it should be noted that cookies from the client computer can be edited.

As seen in the red field in the picture above, change the value to “17” in the “uid” section and enter “1” or any number value you want. (You may have another value, for example: 15,18,2,3, etc.)

Then plase web site refresh, click “F5” on yours keyboard.

We refresh the site with our new cookie information and resend our values.

Bingo!.. Now we are be admin. It is seen in the yellow area in the picture above. 

Be careful. Cookies in the systems are important for both the web developer and the victims.

Have a nice day with lots of informatics 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *