This challenge required us to get access to the admin page of a research website about zombies.
We were presented with a page containing a button that links to the website’s /admin page. Clicking this button caused the server to redirect back to the homepage and send a cookie to the browser.
The cookie’s value was:
Our first instinct was that this cookie was encoded in base64. After decoding it, we ended up with the following ascii:
This text is in the form of a Python pickle! By loading the string into a dictionary, we could manipulate the value to match the ‘user’ key. Re-encoding the pickle in base64, we managed to get access to the admin page and get our flag!
def decode(a): return pickle.loads(base64.b64decode(a))
def encode(a): return base64.b64encode(pickle.dumps(a))
a = decode("KGRwMQpTJ3B5dGhvbicKcDIKUydwaWNrbGVzJwpwMwpzUydzdWJ0bGUnCnA0ClMnaGludCcKcDUKc1MndXNlcicKcDYKTnMu")
a['user'] = 'admin'