We participated in 29C3 CTF, here is writeup for


This website is some kind of password manager.

You can register new user, but cannot register “admin”, which is needed to win flag. When you login, a cookie named “session” is created. Cookie looked like

954a33ddafa959cf59247cd21b4cc1630abf1b964ca65062ac36a5ff6f3820f8 2eee490dbb4e835279090356a8da6a15

Orange part is some static md5, uncrackable for me. Green part is your md5($username) and red is md5($ip).

It is obvious we could make cookie for admin user, but we didn’t know IP. There was self-XSS which we tried to exploit (maybe admin read passwords, who knows ^^), but it didn’t work. After few hours we finally got the solution - Apache status page. It was located on, and from there we could get IP of user who requested /admin/ - it was

Now, to construct the final cookie;

954a33ddafa959cf59247cd21b4cc16321232f297a57a5a743894a0e4a801fc3 6465ec74397c9126916786bbcd6d7601

static + md5(“admin”) + md5(“”)

Flag: 29C3_PleasePutAllYourPasswordsHereItIsGood