Tags: flask 

Rating:

Problem Statement (350 points):

We found this fishy website for flashcards that we think may be sending secrets. Could you take a look?

Hints given :

Are there any common vulnerabilities with the backend of the website?
Is there anywhere that filtering doesn't get applied?
The database gets reverted every 2 hours so your session might end unexpectedly. Just make another user

Solution:

We have to login as admin to get the flag.

First we have to make an id with different name than admin.
Then i login with the id we were given tabs like create cards , list cards ,Admin . When i clicked admin it says "you are not Admin" .

The Create card creates a card with field question and answer.We have to write a question and answer.
So from the website name it could be a flask injection but the problem was where to insert the injection.First i tried {{1+1}} (the flask injection) on the url but i was not succeeded then i tried it in create card and then see the output of it in list card it was "2" . So here is the vulnerability.Then to check the config i write {{config.item()}} and in the result i was provided with a data in which flag was present.

The flag was : picoCTF{secret_keys_to_the_kingdom_e8a55760}

Original writeup (https://github.com/d4rkvaibhav/PICOCTF-2018/tree/master/WEB_EXPLOITATION/flaskcards).