Cookies - picoCTF

Brief explaining about what we have to do in this Home Work

· We had to firstly go to the PicoCTF page and make a free account.

· Then we had to select a picoGYM exercise called Cookies and it was under picoCTF 2021 – Web Exploitation

· Basically, we had to find the flag for that exercise.

· Screen shot of the exercise is given below.

What I gathered by seeing this exercise

When I firstly saw above exercise, I could see that this exercise was completed only 60 percent of people among those tried attempts. So, I knew this was a mid-level exercise.

Moreover, there were no hints. That disappointed me a little.

I had previous experiences with this picoCTF exercises. But none of them were in web exploitation category; they were from Linux administration side. At the moment I am writing this documentation, I have a score of 380.

Going into the given link

When I first see this page, I was a little bit confused. It may be because I have no experience with web exploitations.

As usual, when this page is loaded, I started DevTools in chrome.

I saw in the lecture that Miss Chethana goes inside the Application tab in DevTools to see the cookies a site uses. Because this is a cookie exercise, I decided to go to the application tab. It looked like this.

At the first, I was like “Ummm Okay”. Because it kind of freaked me a little. Of course, not only I saw theCookie name, value, domain, path and other attributes but also I knew what those attributes means.

But I was suspicious about the name attribute and the value -1. So I looked in to google and searched for, “why name value is -1 in cookies”

I did not get any proper answer for that.

So, again I went to the cookie exercise link, and I noticed in the search bar there is a name called “snickerdoodle”. I did not have anything to do at this point but to type that name ; “snickerdoodle”.

Then clicked on the search and it took me to another site. It was like this,

At this point I knew that I made a move in this exercise.

But now what? I again went to the DevTools. In there I saw some changes. The name attribute’s value has been changed into ‘0’. Previously it was -1.

Then I went to Burp Suite and copied the exercise URL in the browser and searched for the link.

The request the browser tries to make looked like this;

Then I knew there was not much info we can gather by this to solve the exercise. However, I forwarded the request.

Then the browser made another request. It was looked like this.

Now I could see that in this request there is a cookie named ‘name’ and its value ‘-1’ is attached. Then I forwarded this too.

Basically, it came to the home page of the exercise.

When I typed ‘snickerdoodle’ and searched, it looked like this,

When I saw the request is changing the name cookie value to snickerdoodle. But I did not get any idea to solve this. So I again started to think.

After few moments I remembered that after entering ‘snickerdoodle’ the name cookie value changed in to ‘0’. So, I made the previous request again with the cookie value as ‘0’.

Then I came to the “I love snickerdoodle cookies!” page.

At this point I did not have any idea to proceed from this step.

After few minutes I came up with an idea to make the request with the cookie name as ‘21485’. Now you might be wondering from where I got that idea, actually, if you closely look the above intercepted requests, we can see that the Host value as ‘mercury.picoctf.net:21485’ .

There is no base for this comment. But what do we have to loose? So, I changed the name cookie value to 21485.

But it again redirected me to the home page request. At this point I wasted more than 1 hour on this CTF.

Found the way

So, I had to refer to the internet. After referring I knew how to get the answer.

But I needed to know why I failed???

So, I again started from the beginning.

· When we click on the link given in the picoCTF it sends a request as follows. #1

· After we forward it, the browser issues another request #2

Now in this request, we can see a cookie named ‘name’ is issued with the request.

But why is that?

Because when we issue the first request, the server sends a set-cookie header and the browser creates it. Then at the next request the browser sends the Cookie with the request. In the second request browser sends a cookie with the request.

· Then I am typing ‘snickerdoodle’ and search for it. Then the browser sends a request as follow.#3

There we can see the name variable gets the value as snickerdoodle.

· Then we can see browser making another request. In that request the name cookie value is 0. #4

Then we got “I love snickerdoodle cookies” page

Requests Explained in Dialogue Format

Browser : “Can you send resources for http://mercury.picoctf.net:21485/” //First request#1

Server : “Unless you create a cookie for me, do not request data from me…”

Browser : “Okay” //Sends the second request #2

Server : “Good boy….Here is your resources” //Sends us to the home page of the ctf.

Browser : “Hey search for snickerdoodle”#3

Server : “Check in the cookie for the name cookie value for ‘snickerdoodle”

Browser: “Got it….it’s 0..” //making another request #4

Making a Move

Now This is the request we should make changes. What changes?

As you can see there is a pattern. At the first time we got the name cookie value as -1, now it became 0. For the curiosity let’s make it to 1, then 2 likewise.

· Making the cookie value into 1

· Let’s check the output.

Now I got some motivation. Lets make the value into 2 and see the results.

Results

Let’s continue this,

Note : You do not want to go back to the home page and apply the cookie values. Just refresh the Burp Suite Browser and make changes in the request.

· At the value of 18 the flag appears.