PicoCTF 2014 Write-ups

Delicious - 60 (Web Exploitation)

Writeup by NielsKornerup

Created: 2014-11-10 22:56:54

Last modified: 2014-11-11 00:14:40


You have found the administrative control panel for the Daedalus Coperation Website: https://web2014.picoctf.com/delicious-5850932/login.php. Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?


Your cookie tells the site what your session number is. Maybe you can guess the value of the cookie for a user who's already logged in...



To solve this problem, you need to change the value of your session cookie to a user who is logged in.


When you open the page, you should find that your session id number is 67, and that there are currently too many users logged in, and thus you need to wait. To solve this problem, you will need to discover how the website reads your session id number, and then change it to a user who is already logged in. To start, let's look around and find where our session number is being sent to the website. Open inspect element and switch to the network tag and click reload. You will notice that there are four get requests, one for css, another for the company logo, a third for bootstrap, and finaly one for login.php. If you look at login.php, you will notice that under cookies, there is a session id tag with a value of 67; this is the value that you want to change. Download a extension that allows you to modify cookies (I used Cookies manager + for firefox), and use it to find the cookie from web2014.picoctf.com called session_id. Once you have found this cookie, use the editor to change its value from 67 to 66 (a user who is currently logged in), and you should be logged in as Dr. Florian Richards.