Google CTF 2016 – Spotted Quoll Writeup
Challenge Overview
This is my first write-up from the Google CTF 2016 competition. Challenge URL: Spotted Quoll
Initial Reconnaissance
While exploring the simple site with Chrome DevTools, I noticed something interesting about the 'Admin' link. Clicking it would redirect to:
https://spotted-quoll.ctfcompetition.com/#err=user_not_found
The Cookie Investigation
During the redirect, the site sets a cookie named 'ObsoletePickle'. The cookie value appeared to be encoded. After attempting base64 decoding, I found some interesting content:
Encoded Cookie
KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnM
Decoded Content
"(dp1\nS'python'\np2\nS'pickles'\np3\nsS'subtle'\np4\nS'hint'\np5\nsS'user'\np6\nNs."
The Python Pickle Connection
The decoded string contained a clear hint about 'python pickles' - a data serialization format commonly used for network data transmission. After some analysis, I determined the original data structure was:
{'python': 'pickles', 'subtle': 'hint', 'user': None}
Solving the Challenge
Looking at the structure and the error message (#err=user_not_found
), the path forward became clear:
- The cookie contained a pickled dictionary
- The
user
field was set toNone
- We were trying to access the admin page
The Solution
I modified the dictionary to:
{'python': 'pickles', 'subtle': 'hint', 'user': 'admin'}
Generated a new pickle, base64 encoded it:
KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu
After setting this as the new cookie value and accessing the admin page, the flag was revealed:
CTF{but_wait,theres_more.if_you_call}