As the encryption mode is ECB, every plaintext block will be encrypted into a same block. We can forge our input so it contains admin=1.

• Pad the block until it’s divisible by 16. Input: ffff&.
• Append a block with our plaintext that we want to be encrypted: ffff&_id=00000000&admin=1&color=ffff&
• Open http://52.59.124.14:10017/color/ffff%26id%3D00000000%26admin%3D1%26color%3Dffff%2600, it will give this session cookie: da5ef5449dcf37a33cecc578f8c7a6c68ec11e84f19bd24ddaac2f43b5efd47edb8af08fe75975e04aebefc123bf920e71090921e9d924daf0edf294e24da982e33815146a57b246e08907f12b6b97e4
• Slice the session from offset byte 64, up to 64 bytes in length.
• Create HTTP request with the sliced session cookie: session=db8af08fe75975e04aebefc123bf920e71090921e9d924daf0edf294e24da982;