I forgot Cookies can Be modified Client-side, so now I decided to encrypt them! http://mercury.picoctf.net:15614/
- 1.This is a continuation of the "Cookies" challenge, which I did not write up since it is very simple. However, this challenge is fairly difficult despite the point value.
- 2.There is a cookie called
auth_namewith the value
eEozQmFzQUNUL2Y1c1hIWmZTOEl4OS9wcUwyRkMyVVE4MUdseEZRYnZWU1E3WXRoOHU5cjkwOXpGM3hwTVc4SGx5K1BNbGdBaFhUOFpXWWpCMTl6dE1QNlNzUGJOVTRpeGdSSnA5dDI2ODBXRXVBMkhpWUtWVVBTNmh6RnJGNXE=. Decoding this as base64 using CyberChef produces gibberish since it is encrypted as per the challenge description.
- 3.The letters
Care capitalized in the challenge description which is a hint that cipher block chaining (CBC) is used. CBC is vulnerable to a bit flip. This answer on the Crypto StackExchange extensively explains this attack. Essentially, there is a single bit that determines if the user is an admin. Maybe there is a parameter like
admin=0and if we change the correct bit then we can set
admin=1. However, the position of this bit is unknown, so we can try every position until we get the flag.
- 4.Outdated (see 5 for improved method): We write a Python script to complete this bruteforce attack. I originally only tried the first 10 positions, which was enough to get the flag so I left the max number of positions to try at 10.
- 5.We write an improved Python script.py to complete this bruteforce attack. The script loops through all the bits in the cookie and flips each one until the flag is shown. See the comments in the script for more details.
Last modified 6mo ago