# Cookies

> Who doesn't love cookies? Try to figure out the best one. <http://mercury.picoctf.net:6418/>

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FlxpZgsMfb52fRI53bZEt%2F1.png?alt=media&#x26;token=cfe47151-57e8-48aa-9e66-18bee6db5805" alt=""><figcaption></figcaption></figure>

Let's proxy the traffic through Burpsuite and provide `snickerdoodle` as the input.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2F5U4Q96rLcsy1kXzmFnEb%2F2.png?alt=media&#x26;token=cd4463d7-437d-4665-a199-ad188ebe159f" alt=""><figcaption></figcaption></figure>

We can see that the application redirects us to `/check`.

Now let's send the request that is sent to `/check` to the `Intruder`.&#x20;

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2Fy1QiATab2qbC8dMwsiXl%2F3.png?alt=media&#x26;token=3a669e73-7802-42a7-a5e6-f3d3fd8966a0" alt=""><figcaption></figcaption></figure>

Then we can configure the payload position to be the cookie.

Next we have to craft the payloads.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2FQUZs1b6lPHQdcGRpHZCo%2F4.png?alt=media&#x26;token=d68f37c6-1572-41e5-b446-733f0a233217" alt=""><figcaption></figcaption></figure>

The payload type is a `Simple list` with numbers from 1 to 20.

Let's start the attack and sort the responses by their length in ascending order.

<figure><img src="https://1586847736-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtSZ40gLWhBDTzPEgHsVB%2Fuploads%2F2kULusb67uxqfUx0gIjl%2F5.png?alt=media&#x26;token=d1c03eaf-44cf-441b-bdc3-4a9c2aa9b134" alt=""><figcaption></figcaption></figure>

We can see that the response with the shortest length is the one with the cookie set to 18.

That is also same the response in which the flag is present.

## Flag

```
picoCTF{3v3ry1_l0v3s_c00k135_88acab36}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kunalwalavalkar.gitbook.io/write-ups/picoctf/web-exploitation/cookies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.