picoCTF Solutions
PathPart of the Web Exploitation path · Step 2 of 5: Cookies and Session Manipulation
picoCTF 2025Web ExploitationEasy

Cookie Monster Secret Recipe picoCTF 2025 Solution

Published: April 2, 2025

Description

Cookie Monster's login page sets a secret_recipe cookie that already contains the flag. Harvest the cookie and decode it from Base64.

Read the technique guide

Setup

Visit site

Submit username=test, password=test (or any pair). The page accepts and sets cookies regardless, which proves auth isn't enforced.

Open DevTools and copy the secret_recipe cookie value (Chrome/Edge: Application > Cookies; Firefox: Storage > Cookies; Safari: Develop > Web Inspector > Storage).

URL-decoding gotcha: cookie values in DevTools are URL-encoded (%20, %3D). URL-decode before Base64-decoding. One-liner: python3 -c 'import urllib.parse; print(urllib.parse.unquote(...))'.

bash
curl -i http://verbal-sleep.picoctf.net:64848/ -d 'username=a&password=a' | grep -i set-cookie

Solution

Walk me through it
  1. Step 1Dump the cookie
    Look for secret_recipe. Its value is Base64, often URL-encoded so the trailing == becomes %3D%3D. Substitute the %3D back to = (or feed through urllib.parse.unquote) before decoding.
    Learn more

    HTTP cookies are key-value pairs set by the server via a Set-Cookie response header and automatically sent by the browser in subsequent requests to the same origin. Cookies are visible to anyone who can inspect network traffic or browser developer tools - they are not secret by default. Sensitive information should never be stored directly in a cookie unless it is encrypted and signed.

    URL encoding (also called percent-encoding) is used in cookies because some characters like =, +, and / have special meaning in HTTP headers and URLs. The %3D sequence represents the equals sign =, which is the Base64 padding character. A browser or curl will decode percent-encoding automatically; command-line tools like echo need you to substitute %3D with = first (or use python3 -c "import urllib.parse; print(urllib.parse.unquote(...))").

    In the browser's DevTools Application tab (Chrome/Edge) or Storage inspector (Firefox), you can see all cookies for the current domain, their values, expiry, security flags (HttpOnly, Secure, SameSite), and domain scope. This is the fastest way to inspect cookie values during web security challenges or reconnaissance. The Cookie and JWT CTF guide covers signed-cookie tampering, JWT alg=none, and other cookie attacks beyond plain decoding.

  2. Step 2Decode the blob
    Either paste into CyberChef or pipe through base64 -d to reveal picoCTF{...}.
    Learn more

    Storing data as Base64 in a cookie is a pattern seen in many web frameworks for session management and state passing. Flask's default session cookie, for example, stores a Base64-encoded JSON object signed with a secret key. Without the signature, reading the cookie requires only decoding - it is not encrypted. This challenge demonstrates an even simpler case: no signing at all, just raw Base64.

    When performing web application security assessments, inspecting every cookie for Base64-encoded content is a standard early step. Tools like Burp Suite automatically detect and decode Base64 in requests and responses. The Burp Suite for picoCTF guide covers the Decoder shortcut and the Repeater loop you would use to re-send a tampered cookie back to the server. CyberChef's "Magic" recipe can identify the encoding automatically and chain decoding operations.

    The secure alternative is to store only an opaque, cryptographically random session ID in the cookie, and keep all sensitive data server-side in a session store. Frameworks like Django, Rails, and Spring all do this by default. Putting sensitive data client-side requires authenticated encryption (like AES-GCM) to prevent reading and tampering. See CTF Encodings for a quick reference of how to spot Base64, URL-encoded, hex, and ROT13 values at a glance.

Alternate Solution

Once you copy the cookie value, decode it instantly with the Base64 Decoder and then the URL Encoder / Decoder on this site - both tools run in the browser with no install required. Decode the percent-encoding first (to restore any %3D padding), then Base64-decode the result.

Flag

picoCTF{...}

No login bypass is necessary; the secret is literally in the cookie jar.

How to prevent this

Base64 is encoding, not encryption. Treat anything sent to the client as readable.

  • Never put secrets, internal IDs, or user state directly in a cookie. Store only an opaque random session ID; keep the actual data server-side in a session store (Redis, database, signed JWT with a server-only key).
  • If client-side state is unavoidable, sign it (HMAC) so tampering is detected, and encrypt it (AES-GCM) so reading is blocked. Most frameworks (Django, Rails, Express cookie-session) ship this out of the box.
  • Set HttpOnly, Secure, and SameSite=Lax (or Strict) on every auth cookie so JS can't read it and CSRF attacks are blunted.

Want more picoCTF 2025 writeups?

Browse picoCTF 2025Full library

Tools used in this challenge

Related reading

Do these first

What to try next