3 scary tools that use Shodan search engine 3 ways to become root by exploiting the .bashrc file A hidden web shell in the plug-in wireless Planex MZK-DP150N | CVE-2021-37289 Are professional hackers also excellent magicians? Bob’s Cap - CTF Challenge Build your own WiFi Pineapple Tetra for $7. Crack Me 1 - CTF Challenge Crack Me 2 - CTF Challenge CTF Flag Mart - CTF Challenge Damn Cheap Cipher 2 - CTF Challenge Emoji - CTF Challenge Flask Task - CTF Challenge Hacker Kombat (THE GAME) - CTF Challenge Hackermon - CTF Challenge I Love Listings - CTF Challenge JabberJaw - Convert your router in portable network attack device. Not So Simple Cipher - CTF Challenge Pug a Plenty - CTF Challenge Secure any URL or Qr Code with a password! Simple Cipher - CTF Challenge Triva Unsecured - CTF Challenge VPN Ivacy, insecure design vulnerability discovered. Zipper - CTF Challenge

Flask Task  - Web Challenge 

On this challenge, the platform seems to be an e-commerce website. The homepage displays only 3 buttons (source code, e-shop and reset).

  • l  The "source code" button is a hint for this challenge, it help to understand how the backend works.
    • l  The "e-shop" button allows us to buy diamonds with e-shop points.
      • l  The "reset" button allows us to reset the current active session.

        First thing to do, let's take look at the source code.

        The first thing we can notice is that the back-end is coded in Python using the framework Flask. To quickly find what I need, I tried CTRL+F with the keyword "flag" to see if it leads to interesting functions.

        And against all expectations, two functions seem to stand out.

        The first "show_flag_function" where we get trolled, because the function leads nowhere.

        But the second function, "get_flag_handler", is more interesting because it tells us that if we have 5 items or more in our session, it will add the flag in our session.

        Well... let's go buy 6 diamonds!

        Unfortunately for me, I noticed that I only had 3 points to buy 3 diamonds. So the question now is how to buy 6 diamonds?

        Alright, let's check the source code again and see how the purchase process works.

        After investigation, there is an "eval" function that can be manipulated and cause a command injection.

        If “eval” is executed to perform “trigger_event”, and then followed by “purchase” twice and “get_flag”, “purchase_handler” and” get_flag_handler” have entered the queue, then “consume_point_function” will be after “get_flag_handler”.

        We can make the following payload:

        http://challenges.ctfd.io:30086/ctfweb/?action:trigger_event%23;action:purchase;3%23action:purchase;3%23action:get_flag;%23

        With this query we should be able to buy 6 diamonds, let's try.

        As we can see, it worked! Our flag should be in the session, let’s take a look:

        Our session is as follow:

        .eJyrVsrJT1eyio5WSkwuyczPsyooLUrOSCxOtTZW0sEnlp5aEp-Wk5huDRRSitWJVkorzUu2Ss7PKy7NTY0vyM_MK0FWXpaZWm6dmZeSWkGqYoja4oz8coh9bj6O7vFZadmp-XkpeW5u7hZmFqaqKsq4dOeV5sZnlqTmFitZGegoga0CMo1rATk2Vd0.YL29UA.Hw1DH8ouc0WLMa2v1I4vwtwyWMs

        After some research on Google about flask sessions, I found a small python script that can help us to decode our flask cookie.

        Flag found! FLAG_jfkeondnFFG8685%$#