[EN] THE EYE 1

# [EN] THE EYE 1 ###### tags: `Writeup` `Misc` `English` > [name=Curious] ## Train Of Thought & Solution Once you enter, you will notice there is a login system. If you test it, you will find a SQL injection vulnerability. However, if you log in using SQL injection, You will miss the first part of the flag Upon careful consideration, if the challenge requires logging in using SQL injection, it should be categorized under the Web category rather than Misc. Furthermore, considering there is a background image on the homepage, it is likely related to image steganography. If you upload the image to a steganography tool like stegsolve (I'm using the [online version](https://stegonline.georgeom.net/upload) as an example here), then click on `Browse Bit Planes` ![](https://hackmd.io/_uploads/rJ-Dz13En.png) By clicking on `<` and `>` to switch between different viewing modes, you can view the following image when selecting `Alpha 0` mode ![](https://hackmd.io/_uploads/HJkZ7124h.png) By doing so, you have obtained the username, password, and the first part of the flag. After logging in, you can see the following screen. ![](https://hackmd.io/_uploads/B1W6Q134n.png) After clicking on `Get Flag!`, it may seem like nothing happened. However, upon closer observation, you will notice that the `session` cookie consists of three segments separated by periods. The second and third segments change with each reload, while the first segment only changes when `Get Flag!` is clicked. From this, we can deduce that the second part of the flag is related to the `session` cookie. Since the generation of the `session` cookie is related to the backend and how it is implemented, you can use the Chrome extension called Wappalyzer to identify the technologies used in the backend. After scanning with Wappalyzer, it was discovered that the backend is built with Flask. To understand how Flask sessions are created, you can refer to the article mentioned [here](https://digi.ninja/blog/cracked_flask.php). The article mentions that the first segment of the session is base64-encoded data from the backend. Therefore, if you take the first segment of the `session` cookie obtained after clicking `Get Flag!`, decode it from base64, you will retrieve the second part of the flag. > In this context, the base64 encoding and decoding refer to the `base64_encode` and `base64_decode` functions provided by the `itsdangerous` Python lib Combining the two parts of the flag will give you the flag for this challenge. {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}