The PicoCTF web exploitation tasks are fun and you can learn a lot about the web and about the tools you can use as a white hat hacker or penetration tester. Knowing about the possible security issues can help you avoid them as well as a developer. Let’s see another web security challenge!
Cookies
This challenge welcomes us with the following description:
Who doesn't love cookies?
Try to figure out the best one.
http://mercury.picoctf.net:29649/
Navigate to the site!
There you find a search page where you can “search cookies”. The default text is “snickerdoodle“, try to search for it.
The site informs us:
That is a cookie! Not very special though...
In the mean time you can easily notice that the URL has changed to:
http://mercury.picoctf.net:29649/check
It’s time to fire up some tool to intercept the HTTP communication and look into it!
My choice is Burp Suite again. After using the Burp Proxy the communication shows the followings:
POST /search HTTP/1.1
Host: mercury.picoctf.net:29649
(...)
Cookie: name=-1
Upgrade-Insecure-Requests: 1
name=snickerdoodle
There is a cookie that we may change! The Cookie: name=-1 is our first candidate to tinker with.
If you start playing with it and change the cookie to 0 then you will see something like this:
GET /check HTTP/1.1
(...)
Cookie: name=0
And the response will be an HTML document with the following somewhere in it:
That is a cookie! Not very special though...
You may feel the urge to increase the number by hand to 1 and try it, but it would be insanely painful to count to larger numbers. It would be better to automate it.
Luckily Burp Suite is a clever beast so you have to right click on the text and forward it to the Intruder! In the Intruder tab set the value of the cookie to a variable by adding § symbols before and after it:
GET /check HTTP/1.1
Host: mercury.picoctf.net:29649
(...)
Cookie: name=§0§
Upgrade-Insecure-Requests: 1
It’s time to generate a payload for our cookie testing.
I used a simple BASH script to generate the numbers I wanted to use as values, and saved it in a file called payload.txt.
You can do the following too:
for i in {1..50}; do echo $i; done |tee payload.txt
Then in the Payloads tab load the file and Start the attack.
The Burp Suite Intruder will sequentially go through the cookie values, and you will get a report in the end. Investigating the report you will notice that the Length of the results changed from cookie value 29. There is just a redirect from that point. But! Every length before that was around 1900 except in one occasion! The cookie with the value 18 gave us a shorter response!
Investigating that response you will find the flag in the HTML text.
Congratulations, you have automated the generation of a payload, and you sequentially sent it to the site to find the flag!
If you want to discuss the topic with other technology-minded people, join my Discord: https://discord.gg/YbSYGsQYES
Now we have an IRC channel as well: irc.libera.chat / #tomsitcafe
Tom's IT Cafe 