Repo for my website
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 

2.1 KiB

+++ author = "Maik de Kruif" title = "Cookiemonster" subtitle = "Challenge 2 - AdventOfCTF" date = 2020-12-02T17:30:25+01:00 description = "A writeup for challenge 2 of AdventOfCTF." cover = "img/writeups/adventofctf/2020/948b1eb046c96865a05808660ee99e10.png" tags = [ "AdventOfCTF", "challenge", "ctf", "hacking", "writeup", "web", "cookies", ] categories = [ "ctf", "writeups", "hacking", ] +++

  • Points: 200

Description

For the 2nd challenge you will need to bypass the login mechanism.

Visit https://02.adventofctf.com to start the challenge.

Solution

When opening the website we're provided with a login form. If we fill in the form with random data, we're greeted with some text that says a guest cannot access the flag.

After trying several things, I opened the devtools to have a look at the cookies. Here we find a cookie with the name authenticated:

authenticated=eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0%3D

The value of this cookie looks like a base64 encoded string so lets try to decode it:

Note: in a url encoded string, the text %3D means a =.

> echo "eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0=" | base64 -d
{"guest":"true","admin":"false"}%

The result is some JSON data which specifies whether we are a guest or an admin.

Normally, we can easily alter the string to say we're an admin, but this time there is some weird non-printable character at the end. This means we can't easily modify it while still having the correct response. To circumvent this, I'll use sed to replace the string while keeping the non-printable character:

> echo "eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0=" | base64 -d | sed 's/"guest":"true"/"guest":"false"/g' | sed 's/"admin":"false"/"admin":"true"/g' | base64
eyJndWVzdCI6ImZhbHNlIiwiYWRtaW4iOiJ0cnVlIn0=

If we put this string back into the cookie and refresh the page we get the flag: NOVI{cookies_are_bad_for_auth}.

This flag can then be submitted for the challenge.