Source
-snip-
@app.route("/flag")
def index():
secret_key = secret_key_to_int(request.args['secret_key']) if 'secret_key' in request.args else None
session['flag'] = flag
if secret_key == app.config['SECRET_KEY']:
return session['flag']
else:
return "Incorrect secret key!"
-snip-We need to go to the /flag endpoint and look into the cookies.
After base64 decoding twice, we get the flag.
eyJmbGFnIjp7IiBiIjoiTWpRM1ExUkdlMlJoT0RBM09UVm1PR0UxWTJGaU1tVXdNemRrTnpNNE5UZ3dOMkk1WVRreGZRPT0ifX0
{"flag":{" b":"MjQ3Q1RGe2RhODA3OTVmOGE1Y2FiMmUwMzdkNzM4NTgwN2I5YTkxfQ=="}}
247CTF{da80795f8a5cab2e037d7385807b9a91}
Looking into the source we find some jsfuck code which we can decode to standard javascript using any given online tool.
if (this.username.value == 'the_flag_is' && this.password.value == '247CTF{6c91b7f7f12c852f892293d16dba0148}'){ alert('Valid username and password!'); } else { alert('Invalid username and password!'); }
Source
<?php
require_once('flag.php');
$password_hash = "0e902564435691274142490923013038";
$salt = "f789bbc328a3d1a3";
if(isset($_GET['password']) && md5($salt . $_GET['password']) == $password_hash){
echo $flag;
}
echo highlight_file(__FILE__, true);
?>This code contains a typical PHP magic hash vulnerability. Using the script below, I compute a number that when appended to the salt, passes the flag condition.
import itertools
from hashlib import md5
import string
salt = 'f789bbc328a3d1a3'
flag = False
for i in itertools.count():
to_hash = salt + str(i)
then_hash = md5(to_hash.encode()).hexdigest()
print(f'{to_hash} -> {then_hash}')
if then_hash[:2] == '0e' and then_hash[2:].isnumeric():
input()After running the script for a while, we finally get the hash.
# ...
# f789bbc328a3d1a3237701816 -> eac5caf7ed7c39299c49840754f882d4
# f789bbc328a3d1a3237701817 -> 4f743cac51ce63a5d51aab8cedf9a7ba
# f789bbc328a3d1a3237701818 -> 0e668271403484922599527929534016
Putting the number as the get parameter "password":
247ctf.com/?password=237701818
Flag: 247CTF{76fbce3909b3129536bb396fea3a9879}