PicoCTF - Cookies [Web]
Cookies is an easy web challenge of PicoCTF.
The main page of the web app consists in a simple search form.
The first thing I tried was to submit the suggested word, and to submit another random word. The responses I received was pretty different:
In the first case I was redirected to “http://mercury.picoctf.net:<port>/check”, while, in the second case I was not, and simply a red alert appeared, telling me that the word I searched was not a valid biscuit (in the following I will use the word “biscuit” instead of “cookie” in order to avoid confusions when referring to web cookies).
Guided by the name of the challenge, I analyzed my cookies.
First, reaching the main page, the web app set a cookie:
Cookie: name=-1Then, by searching for a valid biscuit, my cookie changed:
Cookie: name=0Finally, by searching for an invalid biscuit, my cookie was set again to zero.
By analayzing the traffic using the firefox developers tools, I inspected the packets that redirected me in the first case, and I understood the functioning of the web application:
- By submitting some text, the browser makes a post request to the web page “http://mercury.picoctf.net:<port>/search”
- If the web page matches a valid biscuit, it redirects the browser to “http://mercury.picoctf.net:<port>/check” and changes the cookie
- The web page “http://mercury.picoctf.net:<port>/check” checks the cookie set previously and, based on the cookie, it generates a custom message
Suddenly, a theory came to my mind, but I needed one more proof to confirm it.
In order to confirm my theory, I submitted the name of another famous biscuit: “gingerbread”. The response was positive:
But, more interestingly, my cookie changed from -1 to 23. Yes! I was right! The web page “http://mercury.picoctf.net:<port>/check” identifies each biscuit with successive numbers and crafts messages based on the number (stored in the web cookie) submitted. Therefore, by modifing the cookie “name” it would be possible to retrieve all the personalized messages, and maybe also the flag.
This type of attack is very easy to perform by using Burpsuite Intruder, however, I decided to perform it by using a python script in order to improve my programming skills.
The script I used is the following one:
#!/bin/python3import requestsfor i in range(25):
cookie = 'name={}'.format(i)
headers = {'Cookie':cookie}
r = requests.get('http://mercury.picoctf.net:<port>/check', headers=headers)if (r.status_code == 200) and ('picoCTF' in r.text):
print(r.text)
It simply makes GET requests to “http://mercury.picoctf.net:<port>/check”, by submitting a new cookie each time. Then it analyzes the responses, and, in the case it finds the string “picoCTF” inside the response, it prints it.
The script worked as expected and I was able to retrieve the flag:
Pwned!
