Red This - author: coppersands - web

WriteUp : Kolowy

Look at the code

In the Redis:

set "admin" "User"
set "admin_password" "prod_has_a_different_password"
set "fake_flag" "I told you"
set "flag_" "byuctf{test_flag}"
JSON.SET admin_options $ '["hints", "fake_flag", "flag_"]'

In the python

def getAdminOptions(username):
    adminOptions = []
    if username != None and username == "admin":
        db = redis.Redis(host=HOST, port=6379, decode_responses=True)
        adminOptions = db.json().get("admin_options", "$")[0]
    return adminOptions

Login with an admin account :

We can create an account (/register)

With this account we can get the admin password

1. Open burpsuite with browser proxy
2. Create an account (/register)
3. Make a request to get the quote of Franklin D. Roosevelt
4. In the Intercept tab in burpsuite, change the request body with : famous_person=admin_password

Then we have the admin password : admin_password: "I_HopeYou4re8admin_iLoveTechn070g_9283910"

Log again with the admin account And intercept the request when you get the admin flag

byuctf{al1w4ys_s2n1tize_1nput-5ed1s_eik4oc85nxz}