Rating:
[Source writeup](https://barelycompetent.dev/post/ctfs/2022-03-13-utctf/#login-as-admin-pt-3)
---
Note: These writeups are purposefully short. Each problem had a hint that made the problem trivial to solve.
Again, we know the credentials are `admin:admin`. However, this time, upon sending those creds, we get a 400 bad request error.
Inspecting the given source code (`app.py`):
```python
from flask import *
app = Flask(__name__)
@app.route('/', methods=['GET', 'POST'])
def login():
if request.method == 'POST':
if request.form['username'] == "admin" and request.form['pwd'] == "admin" and request.form['isAdmin'] == "True":
with open('flag.txt', 'r') as file:
flag = file.read()
return make_response("Hello Admin! The flag is " + flag), 200
else:
return render_template('index.html', loginFailed=True)
else:
return render_template('index.html')
if __name__ == '__main__':
app.run(host='0.0.0.0')
```
We see on line 7 that the site is expecting isAdmin to be set as a form field:
```
if request.form['username'] == "admin" and request.form['pwd'] == "admin" and request.form['isAdmin'] == "True":
```
By default, the `isAdmin` value is a cookie, and we are only sending `username` and `pwd` in the form data. Adding `&isAdmin=True` to the POST data (by intercepting the request with say burpproxy), you get the flag.