Tags: web cookies websec
Rating:
Since the problem is about cookies, we guess that browser cookies are involved. Let's look at the cookies with the browser's developer tools. You can view them in the Application section on the Chromium-based browsers (Chromium, Chrome, Edge, Opera, etc.) and the Storage section on Firefox and probably its derivatives. Now notice that it's set to `false` by default. Also, the web page says that it's not showing anything because the user doesn't like any cookies ***judging from your current cookies***. So maybe it'll show something interesting if we set it to `true`.
When we set the cookie to `true`, it shows us this:
> Oh silly you. What do you mean you like a true cookie? I have 20 cookies numbered from 1 to 20, and all of them are made from super true authentic recipes.
So let's try setting the `likeCookie` cookie to a number between 1 and 20, like `1`. When we do that, we get the following message and a picture of a cookie:
> Hm okay. If you like the cookie number 1 then here you go I guess. It's not my favorite cookie though
So maybe we need to look for the favorite cookie. If we try all of the possible cookie values, we find that number `17` is Kevin's favorite, and it gives us the flag, which is `LITCTF{Bd1mens10n_15_l1k3_sup3r_dup3r_0rzzzz}`.