Web – Empire3

Empire3 - 500pt


Agent 513! One of your dastardly colleagues is laughing very sinisterly! Can you access his todo list and discover his nefarious plans? https://2019shell1.picoctf.com/problem/32252/ (link) or http://2019shell1.picoctf.com:32252


Pay attention to the feedback you get
There is very limited filtering in place - this to stop you from breaking the challenge for yourself, not for you to bypass.
The database gets reverted every 2 hours if you do break it, just come back later


We are presented the usual company website, we register and login as usual and we try to add a todo {{config}}. We go in the list of todos and we have a lot of information, the most important is the flask secret key which is used to sign the cookies. Now we check if there is any cookie saved by the website and we find that there is one. Decrypting it with flask-session-cookie-manager we discover that it contains a user_id field, maybe we can change it and login as another user. We try set user_id to 1 and we encode the cookie again. As we send the cookie we actually login as jarret.booz but no flag here. Let’s try user_id = 2 and we actually find the flag.

alt tag
alt tag


Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *