Challenge: (https://backdoor.sdslabs.co/challenges/COOKIE-MONSTER)
Cookie Monster strikes again! This time, he's encrypting all your data and letting nothing out. His cookies shall not be mangled. Can you break in and get the flag?
Here is the webpage.
Points: 100
Let's start off by browsing to the webpage. We get a couple text boxes and a submit button.
OK, let's use George for both the Username and First Name and click submit. We get this:
Let's look at this code a bit...
Right away this line section sticks out:
OK, so it's taking the cookie and splitting it on the ! delimiter and creating an array $cred. Then it's looking for the 3rd element in the $cred array to be equal to the letter A. Let's take a look further.
This is the code that is setting the cookie that the above eventually uses:
Well, I see the ! delimeters, so it looks like it's setting the first array element to the Username entered to the form, the second array element to the Firstname entered to the form, and then at the end it is setting the third array element to the letter U.
So that winds up looking like: George!George!U
So your first thought is probably to manipulate the cookie to change the U to an A. But it looks like they are encrypting and decrypting the cookie so my cookie was:
R2RQNGU3YmZNUkppdlA2YlNuc0hTbkduRVp1VlBlZE44YVNJR0F6MElRdz0
While that was probably the intended way to solve this, I decided to go a different route. Since there is no input validation I used "George!A" as my Firstname. This made my cookie (pre-encryption) George!George!A!U.
This makes the 3rd array element the letter A and gives us a 4th array element of U that is ignored.
TADA! Our first flag!
As always, comments are welcomed and if you know of any good CTF references, challenges, etc please let me know.
Right away this line section sticks out:
$cred = explode('!',decrypt($_COOKIE['cred']));
if ($cred[2] === 'A') {
echo "Flag is SHA256{".$flag."}";
}
OK, so it's taking the cookie and splitting it on the ! delimiter and creating an array $cred. Then it's looking for the 3rd element in the $cred array to be equal to the letter A. Let's take a look further.
This is the code that is setting the cookie that the above eventually uses:
if ( isset($_POST['username']) && isset($_POST['firstname']) ) {
setcookie('cred',encrypt($_POST['username'].'!'.$_POST['firstname'].'!U'),time() + (86400 * 7));
header("Refresh:0; url=#");
}
Well, I see the ! delimeters, so it looks like it's setting the first array element to the Username entered to the form, the second array element to the Firstname entered to the form, and then at the end it is setting the third array element to the letter U.
So that winds up looking like: George!George!U
So your first thought is probably to manipulate the cookie to change the U to an A. But it looks like they are encrypting and decrypting the cookie so my cookie was:
R2RQNGU3YmZNUkppdlA2YlNuc0hTbkduRVp1VlBlZE44YVNJR0F6MElRdz0
While that was probably the intended way to solve this, I decided to go a different route. Since there is no input validation I used "George!A" as my Firstname. This made my cookie (pre-encryption) George!George!A!U.
This makes the 3rd array element the letter A and gives us a 4th array element of U that is ignored.
TADA! Our first flag!
As always, comments are welcomed and if you know of any good CTF references, challenges, etc please let me know.
No comments:
Post a Comment