PatriotCTF 2024 - Impersonate

# PatriotCTF 2024 - Impersonate **Title:** Impersonate **Description:** One may not be the one they claim to be. http://chal.competitivecyber.club:9999/ **Files:** [app.py](https://github.com/xtasy94/CTFW/blob/main/PatriotCTF%202024/Impersonate/Files/app.py) ## Solution: The challenge was a Flask-based web application that used session cookies to manage user authentication. The goal was to obtain administrative access by forging a session cookie for the "administrator" user. Upon inspecting the application, I discovered that it relied on **Flask sessions** to store user data in cookies. Flask uses signed cookies, meaning the session data is stored on the client side but signed with the server's `secret_key` to prevent tampering. The challenge's admin page checked if a session contained: - `username = "administrator"` - `is_admin = True` This would grant access to the flag if the signature of the session cookie matched the server's secret key. Now I had to recreate the `secure_key`, I analyzed the code and noticed the server's secret key was being generated as follows: ```python secure_key = hashlib.sha256(f'secret_key_{server_start_str}'.encode()).hexdigest() ``` The `server_start_str` was provided as `20240921140015` from `http://chal.competitivecyber.club:9999/status` at that time. I used this to recreate the exact secret key the server used by applying the same hashing process in my script. I generated the `admin_uid` using the same `UUID` mechanism found in [app.py](https://github.com/xtasy94/CTFW/blob/main/PatriotCTF%202024/Impersonate/Files/app.py), ensuring it would match the admin UUID that the application expected. I ran the [script](https://github.com/xtasy94/CTFW/blob/main/PatriotCTF%202024/Impersonate/Files/sessioncookie.py) and generated the session cookie: ```bash $ python3 sessioncookie.py Generated session cookie: eyJ1c2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJpc19hZG1pbiI6dHJ1ZSwidWlkIjoiMDJlYzE5ZGMtYmIwMS01OTQyLWE2NDAtNzA5OWNkYTc4MDgxIn0.Zu7TJg.0e-zkBBPxeCa5V8vxeDiu9AZAMg ``` Now that we have generated the session cookie, I crafted a curl command to send to `http://chal.competitivecyber.club:9999/`: ```bash curl --request GET \ --url http://chal.competitivecyber.club:9999/admin \ --header 'Cookie: session=eyJ1c2VybmFtZSI6ImFkbWluaXN0cmF0b3IiLCJpc19hZG1pbiI6dHJ1ZSwidWlkIjoiMDJlYzE5ZGMtYmIwMS01OTQyLWE2NDAtNzA5OWNkYTc4MDgxIn0.Zu7TJg.0e-zkBBPxeCa5V8vxeDiu9AZAMg' ``` And I get the flag in response: ``` PCTF{Imp3rs0n4t10n_Iz_Sup3r_Ezz} ```