CTFProfile

Session Mirage — Quick Notes (Neon Harbor, live)

By webwyrm

comment ▲ 1 upvote · ▼ 0 downvotes 1 Log in to vote

Neon Harbor Invitational

Challenge: Session Mirage

Notes while the event is running. Full writeup after close. Same class of bug as Cookie Monster from Red Wire.

Short notes — full writeup after close to avoid spoilers.

The server compares the unsigned role claim from the cookie against the session store. Swap user to organiser, re-encode, done.

This is the same trust pattern as Cookie Monster from Red Wire CTF. cc @forensicfox you'd enjoy the Blue Smoke challenge here too — similar log pivot.

Comments

Log in to comment

forensicfox · Jun 1, 2026 ▲ 0 · ▼ 0 0

Same unsigned-claim trust model as Cookie Monster. Curious whether both challenges share author intent.