PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Example Output
  • Flag

Was this helpful?

Edit on Git
  1. Web Exploitation

Empire3

Previouscereal hacker 1Nextcereal hacker 2

Last updated 3 years ago

Was this helpful?

Problem

Agent 513! One of your dastardly colleagues is laughing very sinisterly! Can you access his todo list and discover his nefarious plans? (link) or

Solution

  1. Create an account and sign in

  2. Use EditThisCookieto get flask session cookie

  3. Create a todo of {{config}} and get the flask SECRET_KEY variable (used for encoding session cookies)

  4. Paste SECRET_KEY into secret_key variable of attached script

  5. Paste flask cookie into regular_user_cookie variable of attached script

  6. Run script to decode cookie and paste into cookie_dict variable

  7. Change "user_id": "x" to "user_id": "2"

  8. Run script again and change cookie to the new cookie

  9. Reload the page and the flag should be given

Example Output

Decoded Cookie:
{'_fresh': True, '_id': '669830bc929eb8755b468ad78734441992a8275815de8e86acaefc907af730c0f014a3c1aebb5c4f81924a9e400164894ab9f21fda058f1542b5d07c5cccc5a3', 'csrf_token': '86c56031ea9ab7555bb9e367a80f6a3bf72a1c59', 'user_id': '3'}

Encoded Cookie For User 2:
.eJwlzzFqBTEMBNC7uE4h2ZIt5TKLpJVICCSw-38VcvdvyHRTDLz5bUddeX-09_a4ntne2vF57jKnygAP7Zoui9lpip1L1iAiVO0mfbEgnykp08KyQmFZrQEBBUg2Ai3dOagEtZNpEgBOEiVzrY51GrAUMnXnE1Zw7LCNDYn7quPx85Xf2yMzeMLANDXfHHbXHHOZQE0bXqsbBuvePe-8_k_09vcCf5o-3g.XaOrlQ.dWJr-X0v22Dhdt0rswb0cvI3lMk

Flag

picoCTF{cookies_are_a_sometimes_food_8038d44f}

https://2019shell1.picoctf.com/problem/45132/
http://2019shell1.picoctf.com:45132
Website