Problem :

You have found the administrative control panel for the Daedalus Coperation

Website: https://web2014.picoctf.com/delicious-5850932/login.php.

Unfortunately, it requires that you be logged in. Can you find a way to convince the web site that you are, in fact, logged in?

Hint :

Your cookie tells the site what your session number is. Maybe you can guess the value of the cookie for a user who's already logged in...

Solution :

When we open the given link , we are greeted with this message :

The message gives us a ' session id ' when we open this page. Refreshing the page doesn't help !

The message displayed clearly shows us that we need to authenticate as an user who has already logged in i.e , we need to supply a session id number that is less than the one given to . Then , we would be authenticated as a user who has already logged in .

From the name of the question , and the hint and with rest of the information that we have , it is clear that we need look for the cookies . For Google Chrome , we can use an extension called ' Edit this Cookie ' to edit and access cookies .

On opening Edit this Cookie , we see a value in it :

Well , the value that we see here and the the value that was shown on the page are same ! So , if we edit this value to something less , i.e, a value that has been already registered in the site , we can gain access . 25 was used in my case. You can input any desired value ( less than the given value ) . Clicking on the green button sends the value back to the site .

Now reloading the page gives us the flag !

flag : session_cookies_are_the_most_delicious