CTFtime.org

admin

by godspeedcurry / Azure Assassin Alliance

Rating: 5.0

### This is a website.
### Language: python
### ulr: http://admin.2018.hctf.io
### It's not a difficult problem.

First, we can register first and log in.

I just look through every website and press F12 to see the html code.

Luckily I find that http://admin.2018.hctf.io/change leaks a github url.

Very good.

Look at this
https://github.com/woadsl1234/hctf_flask/blob/master/user.sql

```sql
INSERT INTO `user` (`id`, `email`, `password_hash`, `username`) VALUES
(1, NULL, 'pbkdf2:sha1:1000$HHGfbouP$eaa88f64aad0dd3f81a72c16337c03cd1bdc6be1', 'admin'),
(2, NULL, 'pbkdf2:sha1:1000$ErwOESOB$f61a07b6836fab26e885f0dd5419b0f75ea5bf96', 'ckj123');

```

It shows that if we can get the account of the admin, we might do something interesting.

So just seach the repository, we find the code

```html
{% if current_user.is_authenticated and session['name'] == 'admin' %}
<h1 class="nav">hctf{xxxxxxxxx}</h1>
{% endif %}

<h1 class="nav">Welcome to hctf</h1>

{% include('footer.html') %}
```

OK that's good. Try to get the password of admin.

At first I try to use brute force, failed.

Then I try to read the code patiently.

```python
@app.route('/register', methods = ['GET', 'POST'])
def register():

if current_user.is_authenticated:
return redirect(url_for('index'))

form = RegisterForm()
if request.method == 'POST':
name = strlower(form.username.data) # look!
if session.get('image').lower() != form.verify_code.data.lower():
flash('Wrong verify code.')
return render_template('register.html', title = 'register', form=form)
if User.query.filter_by(username = name).first():
flash('The username has been registered')
return redirect(url_for('register'))
user = User(username=name)
user.set_password(form.password.data)
db.session.add(user)
db.session.commit()
flash('register successful')
return redirect(url_for('login'))
return render_template('register.html', title = 'register', form = form)
```

I find something interesting.
```python
def strlower(username):
username = nodeprep.prepare(username)
return username
```

google this one `ctf prepare`

Got it!
http://blog.lnyas.xyz/?p=1411

It shows that we can register an account called ᴬᴬᴬ(unicode type), it will be transformed to AAA, then we change the password,
It will be transformed to aaa. Then we can change the password of aaa.

So in this problem, I register an account named as ᴬdmin, in the above steps, it will do something like ...
ᴬdmin ->Admin -> admin

Now we have the password, just log in and we can see the flag.

Thanks.

by:godspeedcurry from AAA

Comments