🚀 More Cookies - PicoCTF | level : medium

 🌟 Hello, CTF Enthusiasts!

Hey guys! This time, I’m tackling a medium-level PicoCTF challenge called "More Cookies" 🔥 Sounds intriguing, right? Especially for those of you who are always hyped up about solving CTF puzzles! 🎮

Today i am going to show you the solution of this challenge, if we look below only 36% liked this challenge XD:). so lets give it a try.

so lets fire the challenge.

As below its a normal web page there is nothing interested, also the page source does not contain any thing may help us.

So the last option we have is openning the developer console by clicking F12 => Storage => Cookie section we will see the parameter named auth_name contain a value like this “ZUlWUUNOUVg5N0VyUU5pTEZKMElFcW5Fdlo1enNRdVFSeWtRNExJamszVmtwVFUwZkJ1T1NDQ3QydG9SOUpoSFNwSVMzendMTW52QzRMcHMrNTV3eVY5MHJmSlNKWjIyYityU2o1N1pvQUwybFNZeXdqckZTTVcrdzBWWmMySkM=” form the first look its b64encoded after decoding it we gets another string like this “eIVQCNQX97ErQNiLFJ0IEqnEvZ5zsQuQRykQ4LIjk3VkpTU0fBuOSCCt2toR9JhHSpIS3zwLMnvC4Lps+55wyV90rfJSJZ22b+rSj57ZoAL2lSYywjrFSMW+w0VZc2JC” this will never help us.

After a while i took a look on the description section of this challenge and i notice something might be helpful.

The capital letters “C ,B ,C “ telling us something….. yes its a CBC encryption, A long story is about to begin.

CBC stands for “Cipher Block Chaining,” a type of encryption technique in computers. It divides data into small blocks and uses the previous block’s ciphertext when encrypting the next one, adding an extra layer of security compared to other encryption methods.

CBC Encryption is a sequential block-based encryption technique. XOR operation is applied between each data block and the previously encrypted block. An Initialization Vector (IV) is used as additional data to enhance complexity and improve security. CBC is effective for securing data, but additional measures like IV randomization should be taken to avoid potential attacks.

You can read more about it “https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation”.

The important thing is CBC (Cipher Block Chaining) itself is not inherently vulnerable, but it can be susceptible to certain attacks if not implemented securely. For example,Bit Flipping attack.

In a Bit Flipping attack, the attacker manipulates specific bits in the encrypted data to introduce changes upon decryption. This is typically done by understanding the structure of the data and strategically flipping individual bits in the ciphertext. Since CBC mode has sequential dependencies, altering one block affects subsequent blocks. The attacker exploits this to modify the desired information without necessarily knowing the original content and utilizes XOR operation to modify specific bits in the encrypted text. They calculate the XOR value between the targeted bit and the desired value, resulting in a change in the targeted bit during this operation. This allows the attacker to precisely alter the encrypted data, and with knowledge of the data structure, they can pinpoint which bit to modify to achieve the desired impact.

You can read more about it “https://medium.com/@maharanirach/bit-flipping-attack-on-cbc-mode-c84980edb9e1” its a great write-up to understand the whole scenario.

Back to our challenge, we need to do Bit Flipping attack and send requests to the target to get the the flag, the code below can do this.

***********************************

from base64 import b64decode
from base64 import b64encode
import requests

original_cookie = b64decode(“YOUR_COOKIE_IN_THE_CHALLENGE”)
original_cookie = bytearray(original_cookie)

def bitFlip(cookie_char_pos:int, bit_pos:int) -> str:
altered_cookie = bytearray(original_cookie)

flipped = altered_cookie[cookie_char_pos]^bit_pos

altered_cookie[cookie_char_pos] = flipped

altered_cookie_b64 = b64encode(bytes(altered_cookie))

return altered_cookie_b64.decode(“utf-8”)

for cookie_char_pos in range(len(original_cookie)):
print(f”Checking cookie position: {cookie_char_pos} “)
for bit_pos in range(128): # [1,2,4,8,16,32,64,128]: #byte stream — 8 bit range affords 128 possiblities
altered_cookie = bitFlip(cookie_char_pos, bit_pos)
cookies = {‘auth_name’: altered_cookie}
r = requests.get(‘THE_CHALLENGE_LINK’, cookies=cookies)
t = r.text.lower()
if “picoCTF{“.lower() in t or “picoCTF {“.lower() in t:
print(r.text)
break

**********************************

Let’s break this code down:

1. original_cookie: Decodes a base64-encoded string representing an original cookie value and converts it to a bytearray.

2. bitFlip function: Takes a position in the cookie (cookie_char_pos) and a bit position (bit_pos) as parameters. It then flips the specified bit in the original cookie, encodes the modified cookie in base64, and returns the result.

3. Loop over each position in the original cookie:
— For each position, it prints a message indicating the current cookie position.
— It then iterates over 128 bit positions (representing each bit in a byte) and uses the bitFlip function to create altered cookies.
— It sends HTTP requests with altered cookies to a server and checks if the response contains the substring “picoCTF{“.
— If found, it prints the response and breaks out of the loop.

This code aims to discover a modified cookie that, when sent to a specific server, triggers a response containing the flag “picoCTF{“. The attack leverages XOR operations to flip specific bits in the cookie to achieve the desired result. The server’s response is checked for the flag, indicating a successful Bite Flipping attack.

Save this code with a python extension .py and run in picoCTF Webshell, it will probably take some time.

The result will be like this:

Alright, that’s it for today. If you like the post then gimme a like, if there’s something i did wrong, please comment so i can fix it.

⚠️ Note for Readers
If you copy my flag from this write-up, it won’t work. 🚫 The flags in PicoCTF are unique for each user, so attempting to use mine will result in an 'Incorrect Flag' message. 😅

If you really want to solve this challenge and capture your own flag, I recommend following the steps I’ve outlined here. Trust me, the process is worth it, and you’ll learn something cool along the way! 💡💻 Good luck!

See you on another Blog.

contact :

gmail: khalidluhurp@gmail.com

instagram : oceannn.19

Subscribe to receive free email updates: