Google CTF 2016 – Spotted Quoll Writeup

Challenge Overview

This is my first write-up from the Google CTF 2016 competition. Challenge URL: Spotted Quoll

Initial Reconnaissance

While exploring the simple site with Chrome DevTools, I noticed something interesting about the 'Admin' link. Clicking it would redirect to:

https://spotted-quoll.ctfcompetition.com/#err=user_not_found

The Cookie Investigation

During the redirect, the site sets a cookie named 'ObsoletePickle'. The cookie value appeared to be encoded. After attempting base64 decoding, I found some interesting content:

Encoded Cookie

KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnM

Decoded Content

"(dp1\nS'python'\np2\nS'pickles'\np3\nsS'subtle'\np4\nS'hint'\np5\nsS'user'\np6\nNs."

The Python Pickle Connection

The decoded string contained a clear hint about 'python pickles' - a data serialization format commonly used for network data transmission. After some analysis, I determined the original data structure was:

{'python': 'pickles', 'subtle': 'hint', 'user': None}

Solving the Challenge

Looking at the structure and the error message (#err=user_not_found), the path forward became clear:

1. The cookie contained a pickled dictionary
2. The user field was set to None
3. We were trying to access the admin page

The Solution

I modified the dictionary to:

{'python': 'pickles', 'subtle': 'hint', 'user': 'admin'}

Generated a new pickle, base64 encoded it:

KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu

After setting this as the new cookie value and accessing the admin page, the flag was revealed:

CTF{but_wait,theres_more.if_you_call}