🌐 Cookie Monster Secret Recipe
A detailed write-up of the Web challenge 'Cookie Monster Secret Recipe' from PicoCTF - 2025
📊 Challenge Overview
Category Details Additional Info 🏆 Event PicoCTF - 2025 Event Link 🔰 Category Web 🌐 💎 Points 50 Out of 500 total ⭐ Difficulty 🟢 Easy Personal Rating: 0/10 👤 Author Brhane Giday and Prince Niyonshuti N. Profile 🎮 Solves (At the time of flag submission) 3.498 solve rate 📅 Date 10-03-2025 PicoCTF - 2025 🦾 Solved By mH4ck3r0n3 Team:
📝 Challenge Information
Cookie Monster has hidden his top-secret cookie recipe somewhere on his website. As an aspiring cookie detective, your mission is to uncover this delectable secret. Can you outsmart Cookie Monster and find the hidden recipe? You can access the Cookie Monster here and good luck
🎯 Challenge Files & Infrastructure
Provided Files
1
Files: None
🔍 Initial Analysis
First Steps
Initially, the website appears as follows:
On the login screen, when trying to enter
username=admin&password=admin
, you are redirected to a page where it says that credentials are not needed, only the cookies are required. So, I immediately decided to inspect them:As we can see, they appear to be
base64 encoded
.
🎯 Solution Path
Exploitation Steps
Exploitation
I immediately tried to decode it using bash (even though there were two URL-encoded characters
%3D
, it should work the same, and they can be removed or replaced with=
):
1
echo; echo cGljb0NURntjMDBrMWVfbTBuc3Rlcl9sMHZlc19jMDBraWVzXzc3MUQ1RUIwfQ%3D%3D | base64 -d
By doing this, I found the flag.
Flag capture
🛠️ Exploitation Process
Approach
The automated exploit performs exactly the steps done manually: it sends a POST request to the
/login.php
page and then extracts the cookies and decodes them.
🚩 Flag Capture
FlagpicoCTF{c00k1e_m0nster_l0ves_c00kies_771D5EB0}
Proof of Execution
🔧 Tools Used
Tool Purpose Python Exploit WebDevTools Web Testing
💡 Key Learnings
Skills Improved
- Binary Exploitation
- Reverse Engineering
- Web Exploitation
- Cryptography
- Forensics
- OSINT
- Miscellaneous
📊 Final Statistics
Metric | Value | Notes |
---|---|---|
Time to Solve | 00:00 | From start to flag |
Global Ranking (At the time of flag submission) | 3655/8327 | Challenge ranking |
Points Earned | 50 | Team contribution |
Created: 10-03-2025 • Last Modified: 10-03-2025 *Author: mH4ck3r0n3 • Team: *