On this challenge, the platform seems to be an e-commerce website. The homepage displays only 3 buttons (source code, e-shop and reset).
First thing to do, let's take look at the source code.
The first thing we can notice is that the back-end is coded in Python using the framework Flask. To quickly find what I need, I tried CTRL+F with the keyword "flag" to see if it leads to interesting functions.
And against all expectations, two functions seem to stand out.
The first "show_flag_function" where we get trolled, because the function leads nowhere.
But the second function, "get_flag_handler", is more interesting because it tells us that if we have 5 items or more in our session, it will add the flag in our session.
Well... let's go buy 6 diamonds!
Unfortunately for me, I noticed that I only had 3 points to buy 3 diamonds. So the question now is how to buy 6 diamonds?
Alright, let's check the source code again and see how the purchase process works.
After investigation, there is an "eval" function that can be manipulated and cause a command injection.
If “eval” is executed to perform “trigger_event”, and then followed by “purchase” twice and “get_flag”, “purchase_handler” and” get_flag_handler” have entered the queue, then “consume_point_function” will be after “get_flag_handler”.
We can make the following payload:
http://challenges.ctfd.io:30086/ctfweb/?action:trigger_event%23;action:purchase;3%23action:purchase;3%23action:get_flag;%23
With this query we should be able to buy 6 diamonds, let's try.
As we can see, it worked! Our flag should be in the session, let’s take a look:
Our session is as follow:
.eJyrVsrJT1eyio5WSkwuyczPsyooLUrOSCxOtTZW0sEnlp5aEp-Wk5huDRRSitWJVkorzUu2Ss7PKy7NTY0vyM_MK0FWXpaZWm6dmZeSWkGqYoja4oz8coh9bj6O7vFZadmp-XkpeW5u7hZmFqaqKsq4dOeV5sZnlqTmFitZGegoga0CMo1rATk2Vd0.YL29UA.Hw1DH8ouc0WLMa2v1I4vwtwyWMs
After some research on Google about flask sessions, I found a small python script that can help us to decode our flask cookie.
Flag found! FLAG_jfkeondnFFG8685%$#