Protein Cookies

Technical Walkthrough

Writeup

Challenge

• Name: Protein-Cookies
• Category: Crypto
• Difficulty: Easy
• Mode: hybrid

Summary

Protein Cookies is a Flask app with a custom authenticated cookie. The cookie MAC is built as sha512(secret + payload), which is vulnerable to SHA-512 length extension. Because the payload parser accepts duplicate keys and keeps the last value, a forged cookie can append a second isLoggedIn=True parameter and access /program.

Artifact Inventory

Reference analysis/artifact-inventory.json and summarize the relevant files or remote surface.

• Remote service: http://<TARGET>:31106.
• Local source bundle includes the Flask application, Dockerfile, static assets, and flag.pdf.
• Relevant files:

- application/models.py: custom cookie creation and validation.

- application/util.py: guest cookie setup and login gate.

- application/blueprints/routes.py: /program sends flag.pdf behind verify_login.

Analysis

The app issues a guest cookie when login_info is absent. Its payload is:

username=guest&isLoggedIn=False

The signature is:

base64(sha512(secret + payload).hexdigest())

The source fixes the secret length at 16 bytes. Since SHA-512 is Merkle-Damgard based, the known digest of secret || payload can be extended to a valid digest for:

secret || payload || sha512_padding || &isLoggedIn=True

After base64-decoding the forged payload, Python 2 urlparse.parse_qs treats the appended key as a second isLoggedIn value. The app keeps v[-1], so the effective login state becomes True.

One implementation detail mattered during exploitation: sending the forged cookie through requests.Session(..., cookies=...) can leave the original guest cookie in the jar. The working solver sends a manually constructed HTTP cookie header containing only the forged value.

Solve

Run:

python3 solve/solve.py

The script:

1. Fetches a fresh guest cookie.
2. Performs SHA-512 length extension with the known 16-byte secret length.
3. Appends &isLoggedIn=True.
4. Sends the forged cookie to /program.
5. Saves the returned PDF to loot/program.pdf.
6. Extracts the HTB flag from the PDF text.

Flag

Raw flag is stored in loot/flag.txt and intentionally not reproduced here.

Lessons

• hash(secret || message) is not a safe MAC for Merkle-Damgard hashes.
• Duplicate query parameters can turn a length-extension primitive into an auth bypass when the parser keeps the last value.
• Cookie jar behavior can invalidate a correct exploit if the original cookie is sent alongside the forged one.

Source-Backed Dossier

The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.

Notes

Scope

• Challenge: Protein-Cookies
• Category: Crypto
• Difficulty: Easy
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-10T09:42:26Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote target: http://<TARGET>:31106.
• The application is Python 2 Flask and sets a guest login_info cookie on first request.
• models.py implements a custom cookie MAC as sha512(secret + payload) with a 16-byte random prefix.
• The cookie format is base64(payload).base64(sha512(secret + payload).hexdigest()).
• The decoded payload is parsed with urlparse.parse_qs, and duplicate keys resolve to the last value through v[-1].
• A SHA-512 length extension can append &isLoggedIn=True to the guest payload while preserving MAC validity.
• The forged cookie must be sent in a manually constructed HTTP cookie header; using a requests.Session cookie jar can merge/prefer the original guest cookie.
• The forged request to /program returns a PDF, and the HTB flag was extracted from that PDF into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.

Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Protein-Cookies
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extracted the provided Flask/Python 2 source bundle and inventoried the app.
2. Found a custom login_info cookie containing base64(payload).base64(sha512(secret + payload).hexdigest()).
3. Confirmed the secret length is fixed at 16 bytes in source.
4. Observed that decoded cookie payloads are parsed with parse_qs, and duplicate keys resolve to the last value.
5. Implemented a self-contained SHA-512 length-extension forge to append a second logged-in parameter.
6. Sent the forged cookie in a manually constructed HTTP cookie header to avoid session-cookie merging.
7. Downloaded the protected PDF from /program and extracted the HTB flag.

Reusable Lessons

• Prefix MACs using Merkle-Damgard hashes are length-extension vulnerable.
• Parser behavior such as duplicate-key handling can be the second half of an auth bypass.
• Raw cookie headers may be necessary when a client library maintains an original session cookie.
• For PDF-backed flags, save the returned PDF under loot/ and extract text with pypdf.

Dead Ends

• Login and registration APIs intentionally return errors and were not needed.
• Using requests.Session with cookies={...} still sent or preferred the original guest cookie; a manually constructed HTTP cookie header was required.

Tool Quirks

• Local hashpumpy, hlextend, and pymd5 modules were unavailable, so the solver implements SHA-512 compression directly.
• pypdf was available and worked for extracting text from the downloaded PDF.

Evidence Paths

• files/extracted/crypto_protein_cookies/challenge/application/models.py
• files/extracted/crypto_protein_cookies/challenge/application/util.py
• files/extracted/crypto_protein_cookies/challenge/application/blueprints/routes.py
• analysis/source-audit.md
• analysis/forge-debug.txt
• solve/solve.py
• loot/program.pdf
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Hypothesis Board

Keep no more than 3 active hypotheses on Easy/Medium and 5 on Hard unless the user explicitly asks for breadth.

Closed Branches

Memory Summary

approval_required: true

Sanitized Memory Summary

Metadata

• Platform: HackTheBox Challenges
• Category: Crypto
• Challenge: Protein-Cookies
• Difficulty: Easy
• Source workspace: <local workspace>

Validated Solve Chain

Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.

1. Extracted the provided Flask/Python 2 source bundle and inventoried the app.
2. Found a custom login_info cookie containing base64(payload).base64(sha512(secret + payload).hexdigest()).
3. Confirmed the secret length is fixed at 16 bytes in source.
4. Observed that decoded cookie payloads are parsed with parse_qs, and duplicate keys resolve to the last value.
5. Implemented a self-contained SHA-512 length-extension forge to append a second logged-in parameter.
6. Sent the forged cookie in a manually constructed HTTP cookie header to avoid session-cookie merging.
7. Downloaded the protected PDF from /program and extracted the HTB flag.

Reusable Lessons

• Prefix MACs using Merkle-Damgard hashes are length-extension vulnerable.
• Parser behavior such as duplicate-key handling can be the second half of an auth bypass.
• Raw cookie headers may be necessary when a client library maintains an original session cookie.
• For PDF-backed flags, save the returned PDF under loot/ and extract text with pypdf.

Dead Ends

• Login and registration APIs intentionally return errors and were not needed.
• Using requests.Session with `cookies= <REDACTED>

Tool Quirks

• Local hashpumpy, hlextend, and pymd5 modules were unavailable, so the solver implements SHA-512 compression directly.
• pypdf was available and worked for extracting text from the downloaded PDF.

Evidence Paths

• files/extracted/crypto_protein_cookies/challenge/application/models.py
• files/extracted/crypto_protein_cookies/challenge/application/util.py
• files/extracted/crypto_protein_cookies/challenge/application/blueprints/routes.py
• analysis/source-audit.md
• analysis/forge-debug.txt
• solve/solve.py
• loot/program.pdf
• loot/flag.txt

Ingestion Decision

• Proposed for LightRAG: yes
• Requires user approval before ingestion: yes

Notes

Notes

Scope

• Challenge: Protein-Cookies
• Category: Crypto
• Difficulty: Easy
• Mode: hybrid
• Remote instance: none
• Start time: 2026-06-10T09:42:26Z
• Operator: harness
• State file: challenge-state.json

Harness Status

• Current phase: see challenge-state.json
• Next allowed actions: see next-action.json
• Raw flags and sensitive material stay in loot/ only. Do not paste them here.

Artifact Inventory

Evidence Ledger

Key Findings

• Remote target: http://<TARGET>:31106.
• The application is Python 2 Flask and sets a guest login_info cookie on first request.
• models.py implements a custom cookie MAC as sha512(secret + payload) with a 16-byte random prefix.
• The cookie format is base64(payload).base64(sha512(secret + payload).hexdigest()).
• The decoded payload is parsed with urlparse.parse_qs, and duplicate keys resolve to the last value through v[-1].
• A SHA-512 length extension can append &isLoggedIn=True to the guest payload while preserving MAC validity.
• The forged cookie must be sent in a manually constructed HTTP cookie header; using a requests.Session cookie jar can merge/prefer the original guest cookie.
• The forged request to /program returns a PDF, and the HTB flag was extracted from that PDF into loot/flag.txt.

RAG / Advisory Memory

RAG output is advisory only. Record evaluated retrievals with:

scripts/challenge_harness.py rag-record <workspace> --query "..." --tag MATCHED|PARTIAL|MISSING|<secret redacted>|GENERIC --validation "..."

Secrets/Flags

Raw flags and sensitive material stay in loot/ only. Use scripts/challenge_harness.py capture-flag to validate and record flag capture without printing the value.