AnhTvBlog
← Blog
#CTF #BKSEC #Web

Rick's Website 2 BKSEC Write-up

CTF writeup: .git source leak, SSRF, and cookie manipulation on a Flask app.

· 3 min read

Rick’s Website 2 BKSEC Writeup

Part 1: Path Discovery :)

Version 2 is definitely trickier than the original. When you open the site, there’s no login page like before — not even a robots.txt file ><

After checking hint #1, it was clear we needed to brute-force the site’s paths. Using gobuster with 7749 wordlists, we eventually found a path that looked seemingly “useless”: .git

Part 2: Discover .git

After extracting the downloaded file:

Analysis

When in doubt, Google it. After a quick read on Git1, the phrase “object database” caught my attention — there might be something exploitable inside this folder.

Digging further into .git objects2, we learn it contains directories named info, pack, and various two-character directories. Each two-character directory holds a file whose name, when concatenated with the directory name, forms a full hash.

Example: Inside the 3d directory is a file named 0d3b034e747cfa6f3fba9846c3462aca808c33 — combine them and you get the hash 3d0d3b034e747cfa6f3fba9846c3462aca808c33.

Read contents

Use the command git cat-file -p <hash> to read a file’s contents.

This looks like a Flask Python file (we’re getting close, hehe). Opening it in VS Code for a better view, we find this :))

And there it is — we’ve got the exact path. Let’s see what’s there.

Part 3: Breaking the Site :)

There’s the familiar login page ><

Reading further through the source code, the site uses a GET request with username=password=admin (site.com/MIFM-3d23d-fdsFM?username=admin&password=admin). Let’s try logging in.

Bump…

Dang, still just “Welcome guest” ><

Source Code Analysis

Re-examining the source code conditions, we notice:

Essentially, the remote address must equal the local address. Trying to fake the IP via headers in Burp Suite failed.

Is IP Spoofing Viable?

From what I know, Flask’s remote_addr cannot be bypassed with those headers — any spoofing approach would be very complex. Time to try a different angle.

Midnight snack: cookies(づ ̄3 ̄)づ╭🍪~

Checking Cookies and Base64-decoding the session value gives us:

Could we just append {"rick":true}, re-encode, and be done? Nope, that won’t work — try it if you don’t believe me. For why it doesn’t work, see this article.

So both approaches are dead ends :(

At this point the only option seems to be going back to the .git file, grabbing the author’s email, and either blaming them or sweet-talking them into screenshotting the flag for us >< But I still have my dignity — let’s keep going (❁´◡`❁)

Going back to the Wjbu page and cross-referencing with the source code, we know that after submitting, the app will execute a function that roughly prints whatever link we enter as a PDF — though not just any link.

First, the URL must contain “www.youtube.com” and must not contain any words in the Blacklist (local, spoof, .0, .1). However, since the PDF rendering is performed server-side, we can try injecting the login URL into the request — and from there, potentially bypass the remote_addr check.

It’s time to destroy :)

Now we use tinyurl.com to create a redirect link pointing to: localhost:5000/MIFM-3d23d-fdsFM?username=admin&password=admin

Now submit the link tinyurl.com/tvadeptrai/?www.youtube.com — this satisfies all conditions required for the PDF renderer.

For those wondering why localhost:5000: here’s why — or 0.0.0.0 would probably work too :)

And …

Flag: BKSEC{h0w_c4n_y0u_f1nd_m3}

Footnotes

  1. https://www.tutorialspoint.com/what-is-git-folder-and-why-is-it-hidden#

  2. https://git-scm.com/book/en/v2/Git-Internals-Git-Objects

Comments

💬 Giscus is not configured — fill in repo / repoId / categoryId in src/components/GiscusComments.astro (get them from giscus.app ).