picoCTF - Cookies Solution

picoCTF - Cookies Solution

Cookies Solution

This is the solution for picoCTF's Cookies challenge web exploitation problem.

Screenshot 2024-04-11 at 10 23 13 PM

This problem was taken from the picoCTF 2021 and the solution will be discussed below. So proceed with caution.

Clicking on the link we are redirected to a website. One that shows an text input box with a search button.

Screenshot 2024-04-11 at 11 27 32 PM

Testing the site we can input the snickerdoodle place holder and click on Search button.

This leads us to another page where it gives us a clue stating that That is a cookie! Not very special though...

Based from this clue we know that there is a special cookie that may contain the flag.

How can we know what that exact cookie is?

One thing we notice is that the url has changed to http://mercury.picoctf.net:64944/check no change in the url parameters that we might exploit.

Now let's observe the request. Let's open up our Burp and intercept the requests resulting from clicking on the Search button.

There are two resulting requests:

First is a POST request containing the name=snickerdoodle as request body parameter.

Screenshot 2024-04-11 at 11 44 12 PM

Second is a GET request.

Screenshot 2024-04-11 at 11 45 43 PM

Let's examine the response for this two request.

For the POST request (1st) we get a response with a header Set-Cookie: name=0; Path=/

This same cookie value of name =0 is used for the GET request (2nd). The cookie value changed from name=-1 to name=0

Additionally if we click on the Home link. the GET /reset request is made.

Screenshot 2024-04-11 at 11 57 39 PM

Which has a response setting the cookie name= to blank.

Screenshot 2024-04-11 at 11 59 56 PM

Then the home / is requested which set's the cookine name=-1 which is the default.

Screenshot 2024-04-12 at 12 03 02 AM

So we know here that the dynamic part of each requests is the cookie name which is set to a number. We can do a trial and error of modifying this number to get the "special" cookie.

We can use Burp's repeater to modify the name cookie until we get special cookie.

After several tries we find that cookie name=18 provides us the special cookie and flag.

Screenshot 2024-04-12 at 12 09 45 AM

Modifying the cookie as well in our browser shows the flag.

Screenshot 2024-04-11 at 9 48 51 PM

Flag: picoCTF{3v3ry1_l0v3s_c00k135_cc9110ba}

Until next time. Keep learning.

Stay stoked and code. :)

I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)