picoCTF Solutions
picoCTF 2026Web ExploitationMedium

Old Sessions

Published: March 20, 2026

Description

Proper session timeout controls are critical for securing user accounts. If a user logs in on a public computer but doesn't log out, and session expiration dates are misconfigured, the session may remain active indefinitely -- allowing an attacker to access the account without credentials.

Setup

Launch the challenge instance and open the web application.

Create an account or log in to explore the session management.

Solution

  1. Step 1Enumerate session endpoints
    Explore the application for any endpoints that expose active or historical sessions. Try accessing /sessions, /admin/sessions, or similar paths.
    curl http://HOST:PORT/sessions
    curl http://HOST:PORT/admin/sessions
  2. Step 2Find the admin session
    The /sessions endpoint lists active sessions with their tokens. Find the admin user's session token -- it has never been invalidated due to the misconfigured timeout.
  3. Step 3Hijack the admin session
    Use the admin's session token as a cookie to authenticate as admin without knowing the password.
    curl -b 'session=ADMIN_SESSION_TOKEN' http://HOST:PORT/admin
    curl -b 'session=ADMIN_SESSION_TOKEN' http://HOST:PORT/flag

Flag

picoCTF{s3ss10n_t1m30ut_...}

The admin's session token is visible at /sessions and never expires due to a misconfigured session timeout.