PicoCTF - Biscuit

Write-Ups

Posted on April 15, 2017 as PicoCTF 2017. 2 minutes read.

Biscuit - 75 PTS

Your friend has a personal website. Fortunately for you, he is a bit of a noob when it comes to hosting a website. Can you find out what he is hiding?

Website

Let's view the source.

<html>

<!-- Storing stuff in the same directory as your web server doesn't seem like a good idea -->
<!-- Thankfully, we use a hidden one that is super PRIVATE, to protect our cookies.sqlite file -->
  <style>
    body{
    	background-image: url("private/image.png");
    }
  </style>
  <body >
    <div style='background:white;margin: auto;border: 1px solid red;width: 600px; margin-top: 20%;' >
      <center>
        <form style="font-size: 40px; ">
        Access Denied</form>
      </center>
    </div>
  </body>
</html>

That's some pretty obvious stuff here. Let's jump to the private directory, and download the cookies.sqlite.

http://shell2017.picoctf.com:30027/private/cookies.sqlite

Now we have to try and extract the cookies from the file.

[email protected] ~/Pobrane> sqlite3 cookies.sqlite
SQLite version 3.18.0 2017-03-28 18:48:43
Enter ".help" for usage hints.
sqlite>

Great! It's working. Now we can view the tables existing in this database, and then extract the password.

sqlite> SELECT * FROM sqlite_master WHERE type='table';
table|moz_cookies|moz_cookies|2|CREATE TABLE moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, appId INTEGER DEFAULT 0, inBrowserElement INTEGER DEFAULT 0, name TEXT, value TEXT, host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER, creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER, CONSTRAINT moz_uniqueid UNIQUE (name, host, path, appId, inBrowserElement))
sqlite> SELECT * FROM moz_cookies;
1|localhost|0|0|ID|F3MAqpWxIvESiUNLHsflVd|localhost|/|1489365457|1489279130600290|1489279057101857|0|0
sqlite>

One last step would be editing our cookies using EditThisCookie extension.

EditThisCookie

And lastly reload the page.

Flag

And we have another flag to collect.

Keep learning and stay safe!

~ W3ndige