Cookies Solution
This is the solution for picoCTF's Cookies challenge web exploitation problem.
This problem was taken from the picoCTF 2021 and the solution will be discussed below. So proceed with caution.
Clicking on the link we are redirected to a website. One that shows an text input box with a search button.
Testing the site we can input the snickerdoodle place holder and click on Search button.
This leads us to another page where it gives us a clue stating that That is a cookie! Not very special though...
Based from this clue we know that there is a special cookie that may contain the flag.
How can we know what that exact cookie is?
One thing we notice is that the url has changed to http://mercury.picoctf.net:64944/check
no change in the url parameters that we might exploit.
Now let's observe the request. Let's open up our Burp and intercept the requests resulting from clicking on the Search button.
There are two resulting requests:
First is a POST
request containing the name=snickerdoodle
as request body parameter.
Second is a GET
request.
Let's examine the response for this two request.
For the POST
request (1st) we get a response with a header Set-Cookie: name=0; Path=/
This same cookie value of name =0
is used for the GET
request (2nd). The cookie value changed from name=-1
to name=0
Additionally if we click on the Home link. the GET
/reset request is made.
Which has a response setting the cookie name=
to blank.
Then the home /
is requested which set's the cookine name=-1
which is the default.
So we know here that the dynamic part of each requests is the cookie name
which is set to a number. We can do a trial and error of modifying this number to get the "special" cookie.
We can use Burp's repeater to modify the name
cookie until we get special cookie
.
After several tries we find that cookie name=18
provides us the special cookie and flag.
Modifying the cookie as well in our browser shows the flag.
Flag: picoCTF{3v3ry1_l0v3s_c00k135_cc9110ba}
Until next time. Keep learning.
Stay stoked and code. :)
I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)
Thank you very much. :)