by Table of Contents
Briefing
This is a CTF created by my professor Aspen Olmsted. This challenge has two flags with the format flag{}. Once solved students were encouraged to send the flags to Professor Olmsted. For this challenge students were given the URL to the vulnerable website and open source code to assist.
Before I begin, all credit goes to Ezequiel Pereira Lopez for teaching me everything I needed to know to reproduce the steps required to solve this CTF. You can check out his blog here, he has amazing work.
Login
The link my professor sent us brings us to this login page. First instinct here is to usually test out a bunch of default credentials or bruteforce the username and password with hydra to see if we can login as an admin. If we try basics like admin admin, no luck.
If we take a look at the open source code. We can see that this website is developed with Flask. We can also see the subdomains in routes.py. There is an interesting sub here called /register where you can presumably register a new user.
If we try to visit /register, we get the following:
Register
If we take a look back at /register, we see the following:
The area commented out looks pretty interesting. It looks like this is intentionally left commented out. If we look at the line before, there is a verify_signature set to False. This is what is called “Reading the Claimset without Validation.” If you wish to read the claimset of a JWT without performing validation of the signature or any of the registered claim names, you can set the verify_signature option to False. It is generally ill-advised to use this functionality unless you clearly understand what you are doing. In this instance, PyJWT has example usage of encoding and decoding JWT.
Here, take the encoded JWT and place it in the /register subdomain.
Reading the Claimset
From here, one can successfully create a new user.
And sign in
From here we get a dashboard that is pretty interesting.
From here, we can take a look at the repo to see where the first flag might be:
If we attempt to visit the /safety_shutoff sub or click on the shutoff button, we can return the first flag
The second flag is pretty interesting because one can see that the user has to succesfully create a NewMission(). Taking a closer look, there is an if condition that returns “missing security key authentication”… essentially that a security key is required to create a New Mission successfully.
Creating New Mission
If we try to create a new mission without doing anything; unsuccessful.
If we attempt to press on the confirm action with security key, we get the following:
So we have to somehow find a way to add our security key
Adding The Security Key
If we go to Account Settings; we have the option to add our own security key
If we try to add a new key, nothing happens but we can analyze the request in burpsuite
We get a 403 forbidden to /webauth/begin_activate. if we replace the response with the following:
You will now be able to Use your security key
From here, one can add their physical or virtual security key and add it to the system
After this, you can go back to “add a mission” and proceed to the second flag
Great! Once again big thanks to my friend Ezequiel for guiding and working with me through this CTF. Please check out his website, he has incredible work.
