Writeup in progress
Currently making the solution for More Cookiesand the walkthrough will be published here as soon as it's ready.
Check back soon - or follow our latest updates on the homepage- to be notified when the full writeup goes live.
More Cookies
Published: April 2, 2026
Want more picoCTF 2021 writeups?
Useful tools for Web Exploitation
- URL Encoder / DecoderEncode and decode URL-encoded (percent-encoded) strings. Useful for web exploitation challenges involving query parameters, form data, and HTTP headers.
- JWT DecoderDecode JSON Web Tokens and inspect the header, payload, and signature. Useful for web exploitation challenges.
- Base64 & Base32 DecoderDecode Base64 and Base32 strings with auto-detection. Multi-layer mode unwraps nested encodings automatically.
Related reading
- SQL Injection for CTF: From Authentication Bypass to Data ExtractionA practical guide to SQL injection techniques used in CTF competitions: authentication bypass, UNION-based extraction, blind SQLi, NoSQL injection, and sqlmap automation - with picoCTF challenge links throughout.
- File Upload ExploitationComplete guide to file upload vulnerabilities, exploitation techniques, bypass methods, web shells, and defensive strategies. Learn through practical picoCTF challenge and real-world scenarios.
- Beginner's Guide to Netcat for CTFsA beginner-friendly guide to using netcat (nc) in CTF competitions: connecting to challenge servers, piping payloads, automating with Python pwntools, and reading challenge output.
What to try next
- Web ExploitationMedium
Credential Stuffing
Use an automated credential stuffing attack with a leaked credentials dump to gain access to a user account and capture the flag.
- Web ExploitationMedium
Fool the Lockout
Bypass a time-window rate limit on a login page by sleeping 30 seconds after lockout, then credential stuffing to capture the flag.
- Web ExploitationMedium
Hashgate
Profile URLs use MD5 hashes of user IDs. Enumerate IDs near 3000 to find the admin (ID 3019) and read the flag.
- Web ExploitationMedium
No FA
Two-factor authentication is enforced on login, but a leaked TOTP secret in the page source lets you generate a valid code and bypass it.
- Web ExploitationMedium
North-South
The server uses geo-based routing to restrict access to Iceland. Configure Tor to use Iceland exit nodes and route your request through them.