If you can guess our random secret key, we will tell you the flag securely stored in your session.
Based on the source code we know that the app has a directory called
If we make a request to
/flag then it adds the content of the flag to the cookie called “flag”.
However flask session encodes it with base64, so as an extra step we have to decode it.
Another way of testing that is indeed base64 is to make sure that uses the following charset:
Also adding “=” to the end of the string.
To bypass this code we can simply check the value of the cookie, there are different ways to this:
- Browser devtools
- Browser extensions
Don’t forget to decode the content of the cookie.