CTFtime.org

Cookie Monster

by _dodo_ / LevaNova

Rating:

```python
import requests

cookies = {"flag": ""}
for i in range(0, 100):
r = requests.get("http://159.89.166.12:13500/", cookies=cookies)
c = r.cookies.get_dict().get("flag")
cookies = {"flag": c}
print(sols[c])

```

First of all we must collect as much as cookies as possible. Since all cookies are MD5 hash of 2 chars, they are easy to crack with john/hashcat using a mask

`hashcat -a 3 -m 0 cookie_hashes.txt ?1?1 -1 ?d?l?u?s --increment --increment-min=2`

In the potfile we got only 20 unique cookies:

```
"0b1cdc9fe1f929e469c5a54ffe0b2ed5": "s0",
"6f570c477ab64d17825ef2d2dfcb6fe4": "0o",
"a8655da06c5080d3f1eb6af7b514e309": "t}",
"114d6a415b3d04db792ca7c0da0c7a55": "tf",
"bc54f4d60f1cec0f9a6cb70e13f2127a": "pc",
"c1d12de20210d8c1b35c367536e1c255": "l0",
"12eccbdd9b32918131341f38907cbbb5": "re",
"c758807125330006a4375357104f9a82": "3v",
"988287f7a1eb966ffc4e19bdbdeec7c3": "ki",
"ff108b961a844f859bd7c203b7366f8e": "y_",
"0d4896d431044c92de2840ed53b6fbbd": "3s",
"440c5c247c708c6e46783e47e3986889": "L_",
"bc781c76baf5589eef4fb7b9247b89a0": "HE",
"fcfdc12fb4030a8c8a2e19cf7b075926": "Ea",
"97a7bf81a216e803adfed8bd013f4b85": "@_",
"2349277280263dff980b0c8a4a10674b": "@l",
"f355d719add62ceea8c150e5fbfae819": "_@",
"96bc320e4d72edda450c7a9abc8a214f": "Um",
"51de5514f3c808babd19f42217fcba49": "Ut",
"364641d04574146d9f88001e66b4410f": "_r",
"639307d281416ad0642faeaae1f098c4": "_y",
"05cb7dc333ca611d0a8969704e39a9f0": "_t",
"c716fb29298ad96a3b31757ec9755763": "_b",
"b2984e12969ad3a3a2a4d334b8fb385a": "{c"
```

To get the correct order the flag:

```python
import requests

sols = {
"0b1cdc9fe1f929e469c5a54ffe0b2ed5": "s0",
"6f570c477ab64d17825ef2d2dfcb6fe4": "0o",
"a8655da06c5080d3f1eb6af7b514e309": "t}",
"114d6a415b3d04db792ca7c0da0c7a55": "tf",
"bc54f4d60f1cec0f9a6cb70e13f2127a": "pc",
"c1d12de20210d8c1b35c367536e1c255": "l0",
"12eccbdd9b32918131341f38907cbbb5": "re",
"c758807125330006a4375357104f9a82": "3v",
"988287f7a1eb966ffc4e19bdbdeec7c3": "ki",
"ff108b961a844f859bd7c203b7366f8e": "y_",
"0d4896d431044c92de2840ed53b6fbbd": "3s",
"440c5c247c708c6e46783e47e3986889": "L_",
"bc781c76baf5589eef4fb7b9247b89a0": "HE",
"fcfdc12fb4030a8c8a2e19cf7b075926": "Ea",
"97a7bf81a216e803adfed8bd013f4b85": "@_",
"2349277280263dff980b0c8a4a10674b": "@l",
"f355d719add62ceea8c150e5fbfae819": "_@",
"96bc320e4d72edda450c7a9abc8a214f": "Um",
"51de5514f3c808babd19f42217fcba49": "Ut",
"364641d04574146d9f88001e66b4410f": "_r",
"639307d281416ad0642faeaae1f098c4": "_y",
"05cb7dc333ca611d0a8969704e39a9f0": "_t",
"c716fb29298ad96a3b31757ec9755763": "_b",
"b2984e12969ad3a3a2a4d334b8fb385a": "{c",
}

cookies = {"flag": ""}
for i in range(0, 100):
r = requests.get("http://159.89.166.12:13500/", cookies=cookies)
c = r.cookies.get_dict().get("flag")
cookies = {"flag": c}
print(sols[c])
```

Flag: `pctf{c0oki3s_@re_yUm_bUt_tHEy_@ls0_r3vEaL_@_l0t}`

Comments