Thomas DEVerson

  • The site has 3 endpoints messages login and status

  • if you put any random query as post on the login u are redirect to β€˜messages’ without being logged in.

  • we find another directory called backup which has the following content.

Walkthrough :

command output: {head -n 10 app.py}

from flask import (Flask, flash, redirect, render_template, request, send_from_directory, session, url_for)
from datetime import datetime

app = Flask(__name__)

c = datetime.now()
f = c.strftime("%Y%m%d%H%M")
app.secret_key = f'THE_REYNOLDS_PAMPHLET-{f}'

allowed_users = ['Jefferson', 'Madison', 'Burr'] # No Federalists Allowed!!!!

command output: {head -n 10 requirements.txt}

Flask==3.0.3

All accounts show an error message on login attempts : account is protected!

however the responses had some interesting cookies :

these look like JWT but these are slightly different

flask cookies can be decoded using flask-unsign tool

for example cookies on the homepage can be decoded like this :

although the cookie can be read but it is signed, if we want to manipulate the cookie we need a secret key which was used in the app to sign the new new cookie

going back to /backup we can see how the app generated the secret key :

  • and lets also take a look at the /status endpoint :

  • here the hint is that app was started once and it is running without fail

  • we can roughly calculate the launch time using the following logic :

  • this can easily be done using a python script but we wont get the exact time the key was generated because app launch and key generation will have different timings depending on multiple factors so we need to adjust the launch time a bit to get the exact key generation time

  • so now we have a list of possible keys which we can test using flask-unsign :

  • SECRET_KEY : THE_REYNOLDS_PAMPHLET-179708250845

  • now we can easily modify the cookie and use any of the allowed usernames to read /messages

Flag

PreviousAll About RobotsNextHelpful Desk

Last updated