Skip to content

Google CTF 2016 – Spotted Quoll Writeup

First write-up from: Google CTF 2016

Competition link can be found here: https://spotted-quoll.ctfcompetition.com/

After turning on dev tools in Chrome I began to look around the simple site. The major thing which stuck out was that by clicking on the ‘Admin’ link I would land on the following page: https://spotted-quoll.ctfcompetition.com/#err=user_not_found

 

While being directed to that page you end up being issued a cookie called ‘ObsoletePickle.’ It appeared to be encoded some how, I tried to decode from base64 and received some useful information.

Encoded:

KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnM

Decoded:

"(dp1\nS'python'\np2\nS'pickles'\np3\nsS'subtle'\np4\nS'hint'\np5\nsS'user'\np6\nNs."

Going from the hint in this string I looked in to ‘python pickles’ and found out it was a form of data serialization commonly used for transmitting data over a network. After messing around with pickles in python a for awhile I was able to reverse what string was fed in to the python pickle-creating function and the input looked like this:

{'python': 'pickles', 'subtle': 'hint', 'user': None}

Now that I was able to see it without all of the weird markup I understood that it was, essentially, 3 tuples and the second half of the last tuple was the Null datatype.

Returning to the ‘#err=user_not_found’ from earlier I had an idea of where to go with it. Since the link being clicked was to the ‘Admin’ page I replaced the ‘None’ datatype with the name ‘admin’ and then regenerated the pickle:

{'python': 'pickles', 'subtle': 'hint', 'user': 'admin'}

Once I had the new string, I encoded it to base 64 and manually changed my cookie to that value.

KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu

I was then able to go to the ‘admin’ page and the cookie was presented!

CTF{but_wait,theres_more.if_you_call}

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *