writeups/2020/rgbctf/countdown/README.md

# Countdown

writeup by [5225225](https://www.5snb.club) for [BLÅHAJ](https://blahaj.awoo.systems)

**Web**
**455 points**
**63 solves**

> This challenge is simple. All you have to do is wait for the countdown to end to get the flag.
> The countdown ends one second before the end of the CTF, but you have fast fingers right?

## writeup

You're sent to a website that contains a javascript countdown to a date. Above that is the phrase
"Time is key.". Looking at the source code, it reads a cookie that contains 3 base64 parts joined
by dots, and only makes use of the first part. Decoding the first part of the cookie gives you a
JSON object describing the date the page counts down to, but changing it doesn't get the server to
return the flag.

The format was similar to that of a JSON Web Token, but it couldn't be a JWT.

Intentionally making the server return a 404 by going to a non-existent page gave us

> # Not Found
>
> The requested URL was not found on the server. If you entered the URL manually please check your
> spelling and try again.

Looking online for that string, most of the results mention Flask
(<https://github.com/pallets/flask>), a Python web framework. So the server's probably using flask.

Searches online leads us to itsdangerous (<https://itsdangerous.palletsprojects.com/en/1.1.x/>),
which is the library Flask uses to sign its cookies. The format looks to match, so we know it's a
Flask cookie.

To break it, I used flask-unsign (<https://github.com/Paradoxis/Flask-Unsign>), which is a tool
that can take a Flask cookie and crack the code using a wordlist. The built-in wordlist didn't
crack the cookie, but then I went back and read the page, and tried both "time" and "Time" as the
secret key. "Time" turned out to be the key, so I could then re-sign the cookie with a date in the
past, paste that into my browser, and refresh the page, showing the flag.