The Challenge

This page presents us with a picture of a cookie monster doll along with the HTTP acronym. Of course, I recommend looking at the source code as one of the first steps so that you can be sure you understand the functionality of the website. You might find something that you didn’t expect!

You will also notice pretty quickly that you get a dialog box that pops up every time you move your mouse over the picture. Besides being funny (and slightly annoying), it provides no other function as far as we can see.

We can verify that it doesn’t do anything else by checking the source code. In there you will find that the poke() function is called whenever the onmouseover event happens. The poke function was defined under the custom.js file, which you can also find referenced in that source code.

function poke() {
	alert("Stop poking me!");
}

function learn() {
	alert("You just got trolled");
}

Sure enough, the dialog box does nothing but provide that message. Seeing as that’s a dead end, we’ll move on. When you get stuck during a CTF, you should always consider if they left you any hints. In this case, the fact that we have a picture of the cookie monster is probably of no coincidence. Maybe we should look at browser cookies?

Finding your browser cookies is different for every browser, but a quick Google search will bring you to the right place. Personally, I like to use the Cookies Manager+ addon for Firefox, which lets you both view and edit cookies. You should find one cookie from the CTF named fusrodah with some encrypted/encoded content.

Copy the cookie contents into Notepad to try to start figuring out how to decipher it. It doesn’t look like Base64 or anything else we’ve seen thus far. On the next line down, I wrote out the start of our end-goal flag format (“infosec_flagis_”).

vasbfrp_syntvf_jrybirpbbxvrf
infosec_flagis_

Notice any patterns? The underscores line up perfectly. Also notice that f and s match between the two lines in two different places. It looks like this is going to be some kind of substitution cipher; all this is doing is substituting one letter for another. You may also notice that the substitution is “in order,” versus random (this makes it a rotation cipher). For example, a decrypts to n and b decrypts to o. If we had a c, we can assume correctly that it would decrypt to p. You could first start by solving for every letter that you know, leaving only the unknowns:

vasbfrp_syntvf_jrybirpbbxvrf
infosec_flagis_?elo?ecoo?ies

Continue decrypting through the alphabet rotation for the rest of the flag. You can always make a logical guess as to the remainder of the flag since it’s mostly solved, but unfortunately this CTF doesn’t have a way for you to verify your answer, so you need to prove it on your own. For the rotation cipher, there are also websites where you can try all 25 cipher rotations very easily and quickly. infosec_flagis_welovecookies

Lessons Learned

Check for cookies! Cookies usually always have their values encoded or encrypted, but sometimes you will find plaintext information in them as well. If you can decode or decrypt them, the information that they contain could be valuable, or you could even modify them.

Additionally, we learned how to spot a substitution cipher at a quick glance, based on our known flag format, as well as how to decrypt it via tool or by hand if needed.