Description: Are you here on official business? Prove it.
When we visit the page, we are greeted with a generic login page. When attempting to log in as admin, we get redirected to a 403 Forbidden error page.
Since we don’t receive much information from this and it is not a SQL injection vuln, we navigate to /robots.txt and find source code.
So we know our backend is Flask and there is a way that we have to log in. We notice that it is quite difficult to bruteforce the password to decrypt to the requested text. So we turn our attention to cookies.
When we enter the home page, the server calls load_cookie(), which gets “auth” and verifies it. We get our “auth” from do_login(), which only includes username, password, and a check if admin is true. So we mimic this in a short Python script:
Finally we create our “auth” cookie while intercepting a GET request to the home page and enter our value, receiving our flag: