picoCTF Solutions
PathPart of the Web Exploitation path · Step 2 of 5: Cookies and Session Manipulation
picoCTF 2025Web ExploitationEasy

Cookie Monster Secret Recipe

Published: April 2, 2025

Description

Cookie Monster's login page sets a `secret_recipe` cookie that already contains the flag. Harvest the cookie and decode it from Base64.

Setup

Visit site

Submit any username/password combination; authentication isn't enforced.

Open developer tools → Application/Storage → Cookies to inspect the response cookies.

echo "cGljb0NURntjMDBrMWVfbTBuc3Rlcl9sMHZlc19jMDBraWVzXzc3MUQ1RUIwfQ==" | base64 -d

Solution

  1. Step 1Dump the cookie
    Look for `secret_recipe`. Its value is a URL-encoded Base64 blob ending in `%3D%3D`. Decode the percent-encoding first if needed.
    Learn more

    HTTP cookies are key-value pairs set by the server via a Set-Cookie response header and automatically sent by the browser in subsequent requests to the same origin. Cookies are visible to anyone who can inspect network traffic or browser developer tools - they are not secret by default. Sensitive information should never be stored directly in a cookie unless it is encrypted and signed.

    URL encoding (also called percent-encoding) is used in cookies because some characters like =, +, and / have special meaning in HTTP headers and URLs. The %3D sequence represents the equals sign =, which is the Base64 padding character. A browser or curl will decode percent-encoding automatically; command-line tools like echo need you to substitute %3D with = first (or use python3 -c "import urllib.parse; print(urllib.parse.unquote(...))").

    In the browser's DevTools Application tab (Chrome/Edge) or Storage inspector (Firefox), you can see all cookies for the current domain, their values, expiry, security flags (HttpOnly, Secure, SameSite), and domain scope. This is the fastest way to inspect cookie values during web security challenges or reconnaissance.

  2. Step 2Decode the blob
    Either paste into CyberChef or pipe through `base64 -d` to reveal picoCTF{...}.
    Learn more

    Storing data as Base64 in a cookie is a pattern seen in many web frameworks for session management and state passing. Flask's default session cookie, for example, stores a Base64-encoded JSON object signed with a secret key. Without the signature, reading the cookie requires only decoding - it is not encrypted. This challenge demonstrates an even simpler case: no signing at all, just raw Base64.

    When performing web application security assessments, inspecting every cookie for Base64-encoded content is a standard early step. Tools like Burp Suite automatically detect and decode Base64 in requests and responses. CyberChef's "Magic" recipe can identify the encoding automatically and chain decoding operations.

    The secure alternative is to store only an opaque, cryptographically random session ID in the cookie, and keep all sensitive data server-side in a session store. Frameworks like Django, Rails, and Spring all do this by default. Putting sensitive data client-side requires authenticated encryption (like AES-GCM) to prevent reading and tampering.

Alternate Solution

Once you copy the cookie value, decode it instantly with the Base64 Decoder and then the URL Encoder / Decoder on this site - both tools run in the browser with no install required. Decode the percent-encoding first (to restore any %3D padding), then Base64-decode the result.

Flag

picoCTF{...}

No login bypass is necessary; the secret is literally in the cookie jar.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Useful tools for Web Exploitation

Related reading

Do these first

What to try next