[/MNT/AIN LIB] [WEB] time-share

time-share​

SRC: https://library.m0unt41n.ch/challenges/time-share

Pretty easy beginner challenge wich teaches an important lesson... ^^

The code has a logic flaw... it doesnt check if the user/admin_token is an actual admin token.. within the JWT there is no indication is_admin or anything simmilar... so we can login as the user with pw spongebob (within code visible) and then basically just rename our cookie to admin_token and visit /admin presenting us the flag.

Python: 
@app.route("/dashboard")
def dashboard():
    token = request.cookies.get("auth_token")
    try:
        data = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
        return render_template("user.html", user=data["username"])
    except jwt.ExpiredSignatureError:
        return "Token has expired", 401
    except jwt.InvalidTokenError:
        return "Invalid token", 401


@app.route("/admin")
def admin():
    token = request.cookies.get("admin_token")
    try:
        data = jwt.decode(token, SECRET_KEY, algorithms=["HS256"])
        return render_template("admin.html", admin=data["username"], flag=FLAG)
    except jwt.ExpiredSignatureError:
        return "Token has expired", 401
    except jwt.InvalidTokenError:
        return "Invalid token", 401

1752609533515-png.45
 

Attachments

  • 1752609533515.png
    29.4 KB · Views: 1
Click to expand...
You must log in or register to reply here.

Online statistics

Members online
0
Guests online
1
Total visitors
1
Totals may include hidden visitors.

Latest posts

Newest members

Stay Connected

Back
Top