[/MNT/AIN LIB] [WEB] flagkeeper

flagkeeper
SRC: https://library.m0unt41n.ch/challenges/flagkeeper

This challenge required us too access the admin's flag in database. It had a fully fletched API worked out, and the main way too obtain the flag would be to use admin's API token to request /api/flag for the flag. So i skimmed the code and check for potential ways of obtaining API keys, auth etc.

The function for obtaining API keys for a specific user is /api/key, which returns api keys for currently logged in user. And the vulnerability is within the odd SQL query, which for some reason allows pattern matching when looking for a user with a LIKE query... So with registering a user with the username a, ad, adm, admi we can basically impersonate the admin user and will recieve all API keys found, so for our account & the admin user account. (Due too the fetchall )

@app.route("/api/key", methods=["GET"])
def apikey():
    if "username" not in session:
        return Response(status=401, response="Unauthorized")
    db = get_db()
    cursor = db.cursor()
    cursor.execute(
        "SELECT apikey FROM users WHERE username LIKE ?", (session["username"] + "%",)
    )
    user = cursor.fetchall()
    return Response(status=200, response=json.dumps(user))

So i wrote a lil exploit script (or gpt did lol) and obtained the flag in a few secs.