Description
I forgot Cookies can Be modified Client-side! Edit the cookies to log in as admin.
The cookie contains an encrypted value - but the encryption mode is vulnerable.
Setup
Open the challenge URL in your browser and inspect the cookies with DevTools.
Solution
Walk me through it- Step 1Inspect the auth cookieOpen browser DevTools (F12) > Application > Cookies and find the auth_name cookie. It will be a base64-encoded string. Copy and decode it to see its structure.bash
echo '<COOKIE_VALUE>' | base64 -d | xxdLearn more
The cookie value is base64-encoded ciphertext produced by AES in CBC mode (Cipher Block Chaining). In CBC mode, the plaintext is divided into 16-byte blocks, each block is XORed with the previous ciphertext block before being encrypted. The first block is XORed with a random initialization vector (IV).
The plaintext likely encodes a user record like
isAdmin=0;username=user. Your goal is to changeisAdmin=0toisAdmin=1without knowing the AES key. - Step 2Perform a CBC bit-flipping attackIdentify which byte in the ciphertext corresponds to the '0' in 'isAdmin=0'. XOR that ciphertext byte with (ord('0') XOR ord('1')) to flip the corresponding plaintext bit in the next block.python
python3 - <<'EOF' import base64 cookie = "<PASTE_BASE64_COOKIE_HERE>" ct = bytearray(base64.b64decode(cookie)) # Find the byte position in the previous ciphertext block that # corresponds to the '0' in the plaintext of the next block. # XOR that position with ord('0') ^ ord('1') = 1 target_pos = <OFFSET_IN_PREVIOUS_BLOCK> ct[target_pos] ^= ord('0') ^ ord('1') print(base64.b64encode(bytes(ct)).decode()) EOFLearn more
The CBC bit-flip identity. In CBC decryption, each plaintext block is computed as:
P[i] = Decrypt(C[i]) XOR C[i-1]. So if you XOR positionjofC[i-1]with some deltad, positionjofP[i]flips by exactlyd. To forceP[i][j]from byteXto byteY, setd = X XOR Y.Worked example. Suppose the cookie decrypts to
username=guest;admin=0arranged in 16-byte blocks like this (block boundaries marked with |):Block 0: | u s e r n a m e = g u e s t ; | <- bytes 0..15 Block 1: | a d m i n = 0 \0 \0 \0 \0 \0 \0 \0 \0 \0 | <- bytes 16..31 ^ target: byte 22 (the '0' to flip to '1')The target byte sits at position 6 of plaintext block 1. To flip it, modify byte 6 of ciphertext block 0 (the previous block):
delta = ord('0') ^ ord('1') = 0x30 ^ 0x31 = 0x01 ct[6] ^= 0x01 # flips '0' -> '1' in P[1] at position 6 # But this also corrupts P[0] at position 6 (now random byte instead of 'm'). # That's fine here because the server only validates admin=1, not username.Important caveat. Flipping a bit in
C[i-1]also scrambles all 16 bytes ofP[i-1]when you control only one byte (the AES decryption of a modified ciphertext block produces 16 unrelated bytes). The attack is only useful when you can tolerate garbage in one plaintext block to achieve a targeted change in the next - typical for cookies where the username block is non-critical and the admin block is the gate.Defense: CBC mode without authentication is vulnerable to this attack. The solution is to use an authenticated encryption mode like AES-GCM or to append an HMAC to the ciphertext. Any modification to the ciphertext then causes authentication to fail before decryption even occurs.
- Step 3Set the modified cookie and reloadReplace the auth_name cookie value with the modified base64 string from the previous step. Reload the page - if the bit-flip is correct, the server will decrypt the cookie and see isAdmin=1, granting admin access and displaying the flag.
Learn more
This may require a few attempts to get the byte offset exactly right. If the page shows an error or logs you out, adjust
target_posby one and try again. The correct offset is determined by the exact byte position of the character you want to change within its plaintext block (0 to 15).
Flag
picoCTF{...}
AES-CBC without authentication is vulnerable to bit-flipping attacks - flipping a ciphertext byte predictably flips a plaintext bit in the next block, enabling privilege escalation without knowing the key.