DeconstruCT.F 2023 - where-are-the-cookies

Description

Category: Web

Tom is feeling especially snacky during the CTF, can you find where the cookies are?

Note: This challenge works best on Chrome

Resolution

When we go to the page and inspect the request and response, we can’t find anything related to the cookie.

We used dirsearch to find any secret route and we found one:

$ python3 dirsearch.py -u https://ch29744124891.ch.eng.run/

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11710

Output: dirsearch/reports/https_ch29744124891.ch.eng.run/__23-08-05_10-19-21.txt

Target: https://ch29744124891.ch.eng.run/

[10:19:22] Starting: 
[10:23:08] 200 -   49B  - /robots.txt

Task Completed

Then we go to /robots.txt:

User-agent: *
Disallow: /cookiesaretotallynothere

Which gives us another secret route: /cookiesaretotallynothere.

But still no cookie:

Using Burp Suite we found a cookie in the request which defines if we can access to the cookie:

GET /cookiesaretotallynothere HTTP/2
Host: ch29744124891.ch.eng.run
Cookie: caniseethecookie=bm8==

bm8== is base64 encoded and coresspond to no.

So we change it to yes which is eWVz in base64:

GET /cookiesaretotallynothere HTTP/2
Host: ch29744124891.ch.eng.run
Cookie: caniseethecookie=eWVz

And this time we get the cookie:

You found the cookie! 🍪 Oh, I also found this unrelated string, might be useful to you: dsc{1_f0unD_Th3_c0oK135}

And also the flag: dsc{1_f0unD_Th3_c0oK135}.