CrikeyConCTF 2017 – Koala Gallery Writeup

Hey folks

So here’s my writeup for the CrikeyCon 2017 CTF challenge called “Koala Gallery” wrote by this awesome guy called…..ME! 🙂

So we hit the web page and are presented with a beautiful gallery of Koalas.

Viewing the source code doesn’t give us much info.

Running the page request through BurpSuite we can see the request, and see we get assigned a Cookie called “KoalaCookie”.

Now…i’m no expert (clearly) but that looks like some sort of custom cookie.  The value looks like a MD5 hash.

If we send the HTTP request in BurpSuite to the “Repeater” function and send it again, we get a different cookie.

And if we keep requesting the page, we get a different cookie each time, but then we seem to start to get some which are the same as a previous cookie.  After a while, we end up building a list of about 10 cookies, and sometimes we get one of these more than once.

So, as we seem to only get a cookie based of one of these, what are these?  Well they are MD5’s, so lets try decoding one.  Now…i’m lazy, so lets use todo this (Hi lystena!)

I just decoded 2 there, but we can see…they seem to decode to some names.  If you were to decode the rest you’d find more names.

Looking back to the source code for the webpage, we see the following

Ahhhh, so each cookie seems to correspond to a bear in the gallery.  If you kept getting all the cookies, you’d find you’d get an MD5 cookie which matches the name for each bear in the gallery.

Expect!  For one handsome fella!

Droppy!  As you can see, he kinda stands out a bit more than the rest of the bears in the gallery. But we never get him as a cookie…why not?

Lets create the MD5 of his name, and try setting our cookie to it, can’t hurt!

Back in BurpSuite “Repeater” we change the value of “KoalaCookie” to this MD5.

Send it through to the server and in our request we get….

Our flag!  Winner winner, chicken dinner 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *