This challenge was solved by and the write up was written by one of my teammates, aljasPOD.
Register with a single letter user & single letter password. The resulting json:
Which is encoded with AES-CFB, in 16 byte blocks:
and set as the cookie with the IV.
XORing something to the cyphertext will xor the same to the related cleartext & fuck up the next block.
If we change the 3rd block from
(by xoring the bytes 49-60 and cut off the rest of the cookie), we will have what is needed to become admin.
Our code was (Delphi):