Skip to content Skip to navigation

es (web 200)


There is service raised at

There is the authorization form and another form with strange functional on page. Also there is registration link.

At first we registered a new user with 1 / 1 as login / password. We saw that server set cookie:

Cookie: mojolicious=eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9--b844d3ef12af172ffebe4271f93d0548b92f637d

First part before "--" is base64-encoded user session information:

'eyJuYW1lIjoiMSIsImV4cGlyZXMiOjEzOTUwNjI3OTh9' == base64('{"name":"1","expires":1395062798}')

Second part after "--" is hash_hmac with sha1 of first part with a secret. We found secret in page source code:

<!-- secret: ructf -->

So we assumed that we need got admin's cookie. We replaced our nickname to 'admin' and generated new cookie with help of

part1 = base64('{"name":"admin","expires":1395062798}')
part2 = hash_hmac('sha1', part1, 'ructf')


part1 + '--' + part2 ==

So we logged in with new admin cookie and saw a message 'Hi, admin!'. Then we went to and got flag 054ad7a734437d6853383ad919526dc5 by following link.


Asics footwear | Air Jordan Sneakers