As the encryption mode is ECB, every plaintext block will be encrypted into a same block. We can forge our input so it contains admin=1.

- Pad the block until it’s divisible by 16. Input: ffff&.
- Append a block with our plaintext that we want to be encrypted: `ffff&_id=00000000&admin=1&color=ffff&`
- Open http://52.59.124.14:10017/color/ffff%26id%3D00000000%26admin%3D1%26color%3Dffff%2600, it will give this session cookie: `da5ef5449dcf37a33cecc578f8c7a6c68ec11e84f19bd24ddaac2f43b5efd47edb8af08fe75975e04aebefc123bf920e71090921e9d924daf0edf294e24da982e33815146a57b246e08907f12b6b97e4`
- Slice the session from offset byte 64, up to 64 bytes in length.
- Create HTTP request with the sliced session cookie: `session=db8af08fe75975e04aebefc123bf920e71090921e9d924daf0edf294e24da982;`