picoCTF Solutions
picoCTF 2025Web ExploitationEasy

Cookie Monster Secret Recipe

Published: April 2, 2025Updated: December 9, 2025

Description

Cookie Monster’s login page sets a `secret_recipe` cookie that already contains the flag. Harvest the cookie and decode it from Base64.

Setup

Visit site

Submit any username/password combination; authentication isn’t enforced.

Open developer tools → Application/Storage → Cookies to inspect the response cookies.

echo "cGljb0NURntjMDBrMWVfbTBuc3Rlcl9sMHZlc19jMDBraWVzXzc3MUQ1RUIwfQ==" | base64 -d

Solution

  1. Step 1Dump the cookie
    Look for `secret_recipe`. Its value is a URL-encoded Base64 blob ending in `%3D%3D`. Decode the percent-encoding first if needed.
  2. Step 2Decode the blob
    Either paste into CyberChef or pipe through `base64 -d` to reveal picoCTF{c00k1e_m0nster_l0ves_c00kies_771D5EB0}.

Flag

picoCTF{c00k1e_m0nster_l0ves_c00kies_771D5EB0}

No login bypass is necessary; the secret is literally in the cookie jar.