Tags: flask web 


Problem Statement(600 points):

Nice! You found out they were sending the Secret_key: a7a8342f9b41fcb062b13dd1167785f8. Now, can you find a way to log in as admin? http://2018shell2.picoctf.com:53999 (link).

Tags : flask session cookie decode and encode

Solution :

This one redirects to the same website as of the previous flask question Flaskcards but in this they removed the vulnerability in the create card.In the question we were given a secret key.I clicked the admin button but it shows you are not admin.Then i read about the flask secret key and encountered that it is used to encode the cookie.So i checked the session coookie .It was following :


I decoded online using Flask session cookie decoder(https://www.kirsle.net/wizards/flask-session.cgi) and the decoded part appeared :

"_fresh": true,
"_id": "8cdf51a2bfcd6edd19afc1fec39b39462f94eaa6500d3940a59b988f3e1713305e34de06f51020b42b2e915f872196dba806e2e2ea42bc2cfe373d490a9a74ca",
"csrf_token": "f1e8fea3cd6b80336a7469776b83b99498ad8f1a",
"user_id": "6"

So for the admin i have to change the user_id.For admin the user_id should be either 0 or 1.
I tried to change the user_id to "1" using python code(click here for code) and the encoded cookie was as below :


I changed the value of the session cookie and then clicked again the admin tab. i was awarded with the flag :

Your flag is: picoCTF{1_id_to_rule_them_all_92303c39}

Original writeup (https://github.com/d4rkvaibhav/PICOCTF-2018/tree/master/WEB_EXPLOITATION/Flaskcards%20Skeleton%20Key).