Tags: web otp stream-cipher
Rating:
tl;dr:
1. Notice that there is some stream cipher underneath
2. Extract some of the keystream and notice it repeats itself
3. Decrypt the whole cookie
Full writeup: https://github.com/p4-team/ctf/tree/master/2017-11-09-defcamp-final/hack_tac_toe