Skip to main content

Cookies

  • Description: Who doesn't love cookies? Try to figure out the best one.
  • Difficulty: Easy

🔎 Solution

Upon accessing the website, I encountered a single input field accompanied by the placeholder text snickerdoodle. Curious, I initially submitted arbitrary strings, only to be met with the response: not a valid cookie. However, when I entered snickerdoodle, the server responded differently, displaying a specific message.

To delve deeper, I employed Burp Suite to monitor the HTTP requests and responses. I observed that submitting arbitrary strings resulted in the cookie parameter name=-1. Conversely, inputting "snickerdoodle" changed the cookie to name=0. This pattern suggested that the application assigns numerical identifiers to different cookie types.

Leveraging this insight, I utilized Burp Suite's Repeater to manually modify the cookie values. By incrementally adjusting the name parameter, I discovered that:

  • name=1 = "chocolate chip cookie"
  • name=2 = "oatmeal raisin cookie"
  • ...
  • name=18 revealed the hidden flag

🚩Flag

picoCTF{3v3ry1_l0v3s_c00k135_88acab36}