PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Example Cookie
  • Flag

Was this helpful?

Edit on Git
  1. Web Exploitation

Empire2

Problem

Well done, Agent 513! Our sources say Evil Empire Co is passing secrets around when you log in: https://2019shell1.picoctf.com/problem/40536/ (link), can you help us find it? or http://2019shell1.picoctf.com:40536

  • Website

Solution

  1. Create an account and sign in

  2. Use EditThisCookieto get flask session cookie

  3. Use https://www.kirsle.net/wizards/flask-session.cgi to decode the cookie or use Empire3 solution to decode.

Example Cookie

Encoded:

.eJwljzFuwzAMRe-iOQNlSqKUtUBP0F2gKDI10taFbA9FkLtXQLY_vAe8_3DVhu6f7nqMUy-urt1dXYgIzXPPKNIpcwQuzIopIhomgUSYuaeWAaVAQy6tS2mBrHgWxB6RKAH6FgJnZF5iakytZJWF2cBPuEhULMuCgjH7EBQk4iIazV2c7MPqsd31Z_YYK4WQcwxAnRBUzc8WBZPgfcne9w5zTa_zuNddZegxxd9VtreP98d67JXrt9a_7RzVvvhGOVlBo-d0zl3H6zi65z9H6FCp.XaOo9w.vk17n4yNDaVXM9EAfQWOBfycsRc

Decoded:

{
    "_fresh": true,
    "_id": "4530b1ad83ccd78a50a9aae36533f36c06738ad6b803c90b3a9bdc9b47f91ac33d53776031b44a83aa256ba7b98ec2aaf019b49c5e39223c358144e0c532ce5f",
    "csrf_token": "fae744885407d730eef1653e0fc4119811dd0411",
    "dark_secret": "picoCTF{its_a_me_your_flag786f93f7}",
    "user_id": "3"
}

Flag

picoCTF{its_a_me_your_flag786f93f7}

PreviousEmpire1Nextcereal hacker 1

Last updated 3 years ago

Was this helpful?