# PikCha

Once we visit the page we get this:


I started looking around and saw something interesting with the cookies :D


I wonder what are those values?!
After googling, I discovered that each of those values represent the ID of one pokemon and if you look at the values,they match the pokemons on the picture!
So I created a python script.

import time

import jwt

import requests

import re

from selenium import webdriver

from selenium.webdriver.support.ui import WebDriverWait

from selenium.webdriver.support import expected_conditions as ec

from selenium.webdriver.common.by import By

url = ''
api= 'https://pokeapi.co/api/v2/pokemon/?limit=1000'

#Open chrome and go to the challenge page
driver = webdriver.Chrome()


time.sleep(1) # Let the user actually see something!

#Get a json with all the pokemons infomation
rPokemon = requests.get(api)

#Decodes the cookie and gets the pokemon name 500 times
for x in range(501):

session_cookie = driver.get_cookie('session')["value"]

pokeValues = jwt.get_unverified_header(session_cookie)['answer']

pokemonName = ""

for x in pokeValues:


pokemon = re.findall("name\":\"[a-z-]+\",\"url\":\"https://pokeapi.co/api/v2/pokemon/" + str(x) +"/",rPokemon.text)

pokemonName += re.findall("^[a-z-]+",pokemon[0][7:])[0] + " "

WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "guess")))





Original writeup (https://github.com/JrGoomer/CTF-Writeups/blob/master/UMass2021/PikCha.md).