본문 바로가기
Dreamhack

[Dreamhack] session-basic 문제

Clelstyn256 2023. 10. 11. 15:36

문제 코드이다.

#app.py

from flask import Flask, request, render_template, make_response, redirect, url_for

app = Flask(__name__)

try:
    FLAG = open('./flag.txt', 'r').read()
except:
    FLAG = '[**FLAG**]'

users = {
    'guest': 'guest',
    'user': 'user1234',
    'admin': FLAG
}


# this is our session storage
session_storage = {
}


@app.route('/')
def index():
    session_id = request.cookies.get('sessionid', None)
    try:
        # get username from session_storage
        username = session_storage[session_id]
    except KeyError:
        return render_template('index.html')

    return render_template('index.html', text=f'Hello {username}, {"flag is " + FLAG if username == "admin" else "you are not admin"}')


@app.route('/login', methods=['GET', 'POST'])
def login():
    if request.method == 'GET':
        return render_template('login.html')
    elif request.method == 'POST':
        username = request.form.get('username')
        password = request.form.get('password')
        try:
            # you cannot know admin's pw
            pw = users[username]
        except:
            return '<script>alert("not found user");history.go(-1);</script>'
        if pw == password:
            resp = make_response(redirect(url_for('index')) )
            session_id = os.urandom(32).hex()
            session_storage[session_id] = username
            resp.set_cookie('sessionid', session_id)
            return resp
        return '<script>alert("wrong password");history.go(-1);</script>'


@app.route('/admin')
def admin():
    # developer's note: review below commented code and uncomment it (TODO)

    #session_id = request.cookies.get('sessionid', None)
    #username = session_storage[session_id]
    #if username != 'admin':
    #    return render_template('index.html')

    return session_storage


if __name__ == '__main__':
    import os
    # create admin sessionid and save it to our storage
    # and also you cannot reveal admin's sesseionid by brute forcing!!! haha
    session_storage[os.urandom(32).hex()] = 'admin'
    print(session_storage)
    app.run(host='0.0.0.0', port=8000)

코드를 보니 guest 유저의 name: value를 확인 할 수 있으니 guest로 로그인을 해보자.

 

그럼 sessionid가 생성되는 것이 확인된다. 

 

코드를 보면 admin 엔드포인트가 있는 것이 확인 되었으니

 

admin 엔드포인트로 넘어가서 admin의 sessionid value를 복붙 해오자.

 

그리고 새로고침을 하면 플레그가 나온다.

'Dreamhack' 카테고리의 다른 글

[Dreamhack] File Vulnerability Advanced for linux 문제  (0) 2023.10.14
[Dreamhack] Apache htaccess 문제  (0) 2023.10.14
[Dreamhack]command-injection-chatgpt 문제  (1) 2023.10.11
[Dreamhack] simple_sqli_chatgpt 문제  (0) 2023.10.02
[Dreamhack] Type c-j 문제  (0) 2023.10.02

'Dreamhack' Related Articles

티스토리툴바