🌐 Cookie-Recipes-V3

A detailed write-up of the Web challenge 'Cookie-Recipes-V3' from DiceCTF - 2025

mH4ck3r0n3 Ethical Hacking/CTFs/Jeopardy/DiceCTF-2025/Web

31/03/2025 499 words 3 minutes

Contents

/images/DiceCTF-2025/CookieRecipesV3/challenge_presentation.png — Challenge Presentation

📊 Challenge Overview

Category Details Additional Info

🏆 Event DiceCTF - 2025 Event Link

🔰 Category Web 🌐

💎 Points 109 Out of 500 total

⭐ Difficulty 🟢 Easy Personal Rating: 1/10

👤 Author BrownieInMotion Profile

🎮 Solves (At the time of flag submission) 38 solve rate

📅 Date 29-03-2025 DiceCTF - 2025

🦾 Solved By mH4ck3r0n3 Team: QnQSec

Category	Details	Additional Info
🏆 Event	DiceCTF - 2025	Event Link
🔰 Category	Web	🌐
💎 Points	109	Out of 500 total
⭐ Difficulty	🟢 Easy	Personal Rating: 1/10
👤 Author	BrownieInMotion	Profile
🎮 Solves (At the time of flag submission)	38	solve rate
📅 Date	29-03-2025	DiceCTF - 2025
🦾 Solved By	mH4ck3r0n3	Team: QnQSec

📝 Challenge Information

Mmmmmmm…

🎯 Challenge Files & Infrastructure

Provided Files

Files:

Attached Files

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

Site Presentation

This challenge consists of baking 1,000,000,000 cookies. Once done, we can deliver them via the /deliver endpoint and obtain the flag. Analyzing the attached files, I understood that:
1
2
3
4
app.use((req, res, next) => {
   const user = cookies?.split('=')?.[1]
   //...
})
As we can see, a user cookie is assigned to maintain the session if it is not already present. Then, I found the vulnerability in the /bake endpoint (the endpoint that allows us to bake cookies):
1
2
3
4
5
6
app.post('/bake', (req, res) => {
   const number = req.query.number
   if (number.length <= 2) { // Length check
       cookies.set(req.user, (cookies.get(req.user) ?? 0) + Number(number))
   }
})
As we can see, we can send a maximum number of 99 at a time since the length of the number sent is limited to 2 numeric digits. However, by sending a parameter as an array like number[]=1000000000, for example, we can bypass this check. This is because the constant number will be transformed into an array, and when accessing the length property of an array, it will check the number of elements contained in the array (in this case, 1). This way, it will pass the length check and set the number of cookies to the value we provided.

🔬 Vulnerability Analysis

Potential Vulnerabilities

Type Confusion

🎯 Solution Path

Exploitation Steps

Exploitation

The exploitation, as mentioned, consists of making a POST request to: https://cookie.dicec.tf/bake, passing the parameter number[]=1000000000. After that, we just need to deliver the cookies with a POST request to https://cookie.dicec.tf/deliver, and we will obtain the flag. Using curl:
1
2
3
curl -c cookie.txt https://cookie.dicec.tf/
curl -X POST -b cookie.txt https://cookie.dicec.tf/bake?number[]=1000000000
curl -X POST -b cookie.txt https://cookie.dicec.tf/deliver
After making the last request, we will receive the flag in the response.

Flag capture

Manual Flag

🛠️ Exploitation Process

Approach

The automatic exploit follows the steps described above and extracts the flag from the response using a regex.

Exploit

🚩 Flag Capture

Flag

dice{cookie_cookie_cookie}

Proof of Execution

Automated Flag

Screenshot of successful exploitation

🔧 Tools Used

Tool Purpose

Python Exploit

Tool	Purpose
Python	Exploit

💡 Key Learnings

Skills Improved

Binary Exploitation

Reverse Engineering

Web Exploitation

Cryptography

Forensics

OSINT

Miscellaneous

📚 References & Resources

Learning Resources

https://snyk.io/blog/remediate-javascript-type-confusion-bypassed-input-validation/

📊 Final Statistics

Metric	Value	Notes
Time to Solve	00:05	From start to flag
Global Ranking (At the time of flag submission)	32/408	Challenge ranking
Points Earned	109	Team contribution

Created: 29-03-2025 • Last Modified: 29-03-2025 Author: mH4ck3r0n3 • Team: QnQSec