Tags: flask 


Problem Statement (350 points):

We found this fishy website for flashcards that we think may be sending secrets. Could you take a look?

Hints given :

Are there any common vulnerabilities with the backend of the website?
Is there anywhere that filtering doesn't get applied?
The database gets reverted every 2 hours so your session might end unexpectedly. Just make another user


We have to login as admin to get the flag.

First we have to make an id with different name than admin.
Then i login with the id we were given tabs like create cards , list cards ,Admin . When i clicked admin it says "you are not Admin" .

The Create card creates a card with field question and answer.We have to write a question and answer.
So from the website name it could be a flask injection but the problem was where to insert the injection.First i tried {{1+1}} (the flask injection) on the url but i was not succeeded then i tried it in create card and then see the output of it in list card it was "2" . So here is the vulnerability.Then to check the config i write {{config.item()}} and in the result i was provided with a data in which flag was present.

The flag was : picoCTF{secret_keys_to_the_kingdom_e8a55760}

Original writeup (https://github.com/d4rkvaibhav/PICOCTF-2018/tree/master/WEB_EXPLOITATION/flaskcards).