Introduction

If you can guess our random secret key, we will tell you the flag securely stored in your session.

Source code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

import os
from flask import Flask, request, session
from flag import flag

app = Flask(__name__)
app.config['SECRET_KEY'] = os.urandom(24)

def secret_key_to_int(s):
    try:
        secret_key = int(s)
    except ValueError:
        secret_key = 0
    return secret_key

@app.route("/flag")
def index():
    secret_key = secret_key_to_int(request.args['secret_key']) if 'secret_key' in request.args else None
    session['flag'] = flag
    if secret_key == app.config['SECRET_KEY']:
      return session['flag']
    else:
      return "Incorrect secret key!"

@app.route('/')
def source():
    return "
%s
" % open(__file__).read()

if __name__ == "__main__":
    app.run()

Solution

Based on the source code we know that the app has a directory called /flag.
If we make a request to /flag then it adds the content of the flag to the cookie called “flag”.
However flask session encodes it with base64, so as an extra step we have to decode it.
Another way of testing that is indeed base64 is to make sure that uses the following charset:
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
Also adding “=” to the end of the string.

To bypass this code we can simply check the value of the cookie, there are different ways to this:

• Browser devtools
  
• Browser extensions
  
• Scripts
  

Don’t forget to decode the content of the cookie.