Leaked messages - Web
One of our candidates used to send restricted data to colleagues via this service because it's free and easy to use. Try to get some secrets which can compromise them.
I launched dirb and I found there was a
/backup/ folder which seems to be a
So I wanted to use GitTools to dump it.
Bit I got this error from the tool
[-] /.git/ missing in url. So I patched the tool by removing those lines from
Then I dumped it:
I checked the last commit:
It seems that
flag.txt was removed but we have the content just here.
It's a base32 string:
But this is a Troll, a fake flag. This CTF sounds like Troll and guessing... (
/backup/ instead of
/.git/, base32 string, then fake flag).
Ok let's continue and extract all commits still with GitTools.
Now let's take a look at
Then I installed uncompyle6 to uncompile the config python file.
Previously I so that this is a Flask webapp:
SECRET_KEY is generated in order to manage sessions, here it will sign cookies.
Flask cookies look like JWT (JSON Web Tokens) but that's not the same structure. JWT are signature.data.signature, flask cookies are data.nonce.signature.
It seems it's our way to modify the session cookie, cookie will be invalid if we only modify it without having a valid signature (which requires the
SECRET_KEY). But decoding flask cookie only require to base64 decode the first part.
So the I used flask-session-cookie-manager to decode the cookie and re-encode it.
Then I used BurpSuite to temper my request and modify the cookie header, just to test the range of number id:
After some tests I figured that the range were like the following:
- 326410000000 to 326410030239 : CTF story message
- 326410030240 to 326410031505 : no user (You have no messages yet)
- 326410031506 to 326410031666+ : CTF player message (Hello! Your number is 326410031XXX. Have a nice conversation.)
The flag is in a CTF story message.
So I wrote a ruby script to dump all messages into a
Then I used classic grep skills.
There is a link with a picture.
There was another solution found by hotab from dcua. Instead of dumping every message like me it was possible to do an SQL injection into the cookie
' union SELECT GROUP_CONCAT(message,'\n') FROM messages GROUP BY '1. That was listing you all message in one page. This was quicker.