2020: RGBctf: countdown - 5225225

2020/rgbctf/countdown/README.md

@@ -0,0 +1,40 @@
+# Countdown
+
+writeup by [5225225](https://www.5snb.club) for [BLÅHAJ](https://blahaj.awoo.systems)
+
+**Web**
+**455 points**
+**63 solves**
+
+> This challenge is simple. All you have to do is wait for the countdown to end to get the flag.
+> The countdown ends one second before the end of the CTF, but you have fast fingers right?
+
+## writeup
+
+You're sent to a website that contains a javascript countdown to a date. Above that is the phrase
+"Time is key.". Looking at the source code, it reads a cookie that contains 3 base64 parts joined
+by dots, and only makes use of the first part. Decoding the first part of the cookie gives you a
+JSON object describing the date the page counts down to, but changing it doesn't get the server to
+return the flag.
+
+The format was similar to that of a JSON Web Token, but it couldn't be a JWT.
+
+Intentionally making the server return a 404 by going to a non-existent page gave us
+
+> # Not Found
+>
+> The requested URL was not found on the server. If you entered the URL manually please check your
+> spelling and try again.
+
+Looking online for that string, most of the results mention Flask
+(<https://github.com/pallets/flask>), a Python web framework. So the server's probably using flask.
+
+Searches online leads us to itsdangerous (<https://itsdangerous.palletsprojects.com/en/1.1.x/>),
+which is the library Flask uses to sign its cookies. The format looks to match, so we know it's a
+Flask cookie.
+
+To break it, I used flask-unsign (<https://github.com/Paradoxis/Flask-Unsign>), which is a tool
+that can take a Flask cookie and crack the code using a wordlist. The built-in wordlist didn't
+crack the cookie, but then I went back and read the page, and tried both "time" and "Time" as the
+secret key. "Time" turned out to be the key, so I could then re-sign the cookie with a date in the
+past, paste that into my browser, and refresh the page, showing the flag.