From 58e78c7c3dc28cdef183f8b64c5738e04b30b292 Mon Sep 17 00:00:00 2001 From: 5225225 <5225225@mailbox.org> Date: Wed, 15 Jul 2020 00:06:11 +0100 Subject: [PATCH] 2020: RGBctf: countdown - 5225225 --- 2020/rgbctf/countdown/README.md | 40 +++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 2020/rgbctf/countdown/README.md diff --git a/2020/rgbctf/countdown/README.md b/2020/rgbctf/countdown/README.md new file mode 100644 index 0000000..d77324d --- /dev/null +++ b/2020/rgbctf/countdown/README.md @@ -0,0 +1,40 @@ +# Countdown + +writeup by [5225225](https://www.5snb.club) for [BLĂ…HAJ](https://blahaj.awoo.systems) + +**Web** +**455 points** +**63 solves** + +> This challenge is simple. All you have to do is wait for the countdown to end to get the flag. +> The countdown ends one second before the end of the CTF, but you have fast fingers right? + +## writeup + +You're sent to a website that contains a javascript countdown to a date. Above that is the phrase +"Time is key.". Looking at the source code, it reads a cookie that contains 3 base64 parts joined +by dots, and only makes use of the first part. Decoding the first part of the cookie gives you a +JSON object describing the date the page counts down to, but changing it doesn't get the server to +return the flag. + +The format was similar to that of a JSON Web Token, but it couldn't be a JWT. + +Intentionally making the server return a 404 by going to a non-existent page gave us + +> # Not Found +> +> The requested URL was not found on the server. If you entered the URL manually please check your +> spelling and try again. + +Looking online for that string, most of the results mention Flask +(), a Python web framework. So the server's probably using flask. + +Searches online leads us to itsdangerous (), +which is the library Flask uses to sign its cookies. The format looks to match, so we know it's a +Flask cookie. + +To break it, I used flask-unsign (), which is a tool +that can take a Flask cookie and crack the code using a wordlist. The built-in wordlist didn't +crack the cookie, but then I went back and read the page, and tried both "time" and "Time" as the +secret key. "Time" turned out to be the key, so I could then re-sign the cookie with a date in the +past, paste that into my browser, and refresh the page, showing the flag.