BSides Delhi CTF — 2020: write-up

Raj Upadhyay

3 min readOct 10, 2020

I was able to solve just one challenge but it was really awesome challenge so let’s see how I was able to solve it.

Category: Web

Robot Master

So let’s open the link

So let’s see the source code.

we got one hint:

<!--Are robots eating C00ki3s???-->

So first thought comes into my mind is to open the “robots.txt” file.

So we need to navigate to /cookie.php page.

Let’s see the source code.

<!--Robots made our work difficult. Broke everything into pieces! :(-->

So let’s see “cookies”

To view cookies in the browser we need to just follow simple steps.

right-click on the webpage and select inspect

You will see something like this,

So now let’s click on “Application”

We can see this page is set 2 cookies value.

Piece : 1

Our_Fav_Cookie :
c4694f2e93d5c4e7d51f9c5deb75e6cc8be5e1114178c6a45b6fc2c566a0aa8c

This “Our_Fav_Cookie” value looks interesting. ( i guess it’s hash value let’s try to crack it using the crackstation website)

So it’s sha256 and decoded value is “o”

So let’s reload the webpage and see if this cookie value changes or not.

Surprise Surprise value of Piece is incremented by 1 and the value of Our_Fav_Cookie is also changed.

So let’s create one text file which contains different cookie values. ( reload webpage every time to get new cookie value)

So it will look like this ( Last value of the piece was 39 and then it again becomes 1) so we have 39 hash values like this.

c4694f2e93d5c4e7d51f9c5deb75e6cc8be5e1114178c6a45b6fc2c566a0aa8c
f67ab10ad4e4c53121b6a5fe4da9c10ddee905b978d3788d2723d7bfacbe28a9
148de9c5a7a44d19e56cd9ae1a554bf67847afb0c58f6e12fa29ac7ddfca9940
333e0a1e27815d0ceee55c473fe3dc93d56c63e3bee2b3b4aee8eed6d70191a3
8de0b3c47f112c59745f717a626932264c422a7563954872e237b223af4ad643
021fb596db81e6d02bf3d2586ee3981fe519f275c0ac9ca76bbcf2ebb4097d96
5c62e091b8c0565f1bafad0dad5934276143ae2ccef7a5381e8ada5b1a8d26d2
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
ef2d127de37b942baad06145e54b0c619a1f22327b2ebbcfbec78f5564afe39d
d2e2adf7177b7a8afddbc12d1634cf23ea1a71020f6a1308070a16400fb68fde
1b16b1df538ba12dc3f97edbb85caa7050d46c148134290feba80f8236c83db9
3f79bb7b435b05321651daefd374cdc681dc06faa65e374e38337b88ca046dea
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
d2e2adf7177b7a8afddbc12d1634cf23ea1a71020f6a1308070a16400fb68fde
65c74c15a686187bb6bbf9958f494fc6b80068034a659a9ad44991b08c58f2d2
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
ef2d127de37b942baad06145e54b0c619a1f22327b2ebbcfbec78f5564afe39d
cd0aa9856147b6c5b4ff2b7dfee5da20aa38253099ef1b4a64aced233c9afe29
d2e2adf7177b7a8afddbc12d1634cf23ea1a71020f6a1308070a16400fb68fde
2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6
a1fce4363854ff888cff4b8e7875d600c2682390412a8cf79b37d0b11148b0fa
4b227777d4dd1fc61c6f884f48641d02b4d121d3fd328cb08b5531fcacdabf8a
148de9c5a7a44d19e56cd9ae1a554bf67847afb0c58f6e12fa29ac7ddfca9940
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
d2e2adf7177b7a8afddbc12d1634cf23ea1a71020f6a1308070a16400fb68fde
7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
d2e2adf7177b7a8afddbc12d1634cf23ea1a71020f6a1308070a16400fb68fde
148de9c5a7a44d19e56cd9ae1a554bf67847afb0c58f6e12fa29ac7ddfca9940
0bfe935e70c321c7ca3afc75ce0d0ca2f98b5422e008bb31c00c6d7f1f1c0ad6
4e07408562bedb8b60ce05c1decfe3ad16b72230967de01f640b7e4729b49fce
148de9c5a7a44d19e56cd9ae1a554bf67847afb0c58f6e12fa29ac7ddfca9940
2d711642b726b04401627ca9fbac32f5c8530fb1903cc4db02258717921a4881
d10b36aa74a59bcf4a88185837f658afaf3646eff2bb16c3928d0e9335e945d2