This task was solved by aay soon after the the problem came up.ym.
The initial intention of the organizer is that the vulnerability is in session and the cookie is decrypt byte per byte so we can post some username like ‘admiX’ and brute force the ciphertext of the last letter to get the admin’s session.However there’s another quick way to achieve the goal.
As we visited the page, corresponding to the experience of solving the 3dub problem before, we tried to login as admin.But the ruby program had a runtime error.We thought that we should decode and construct the cookie.
From the backtrace, we can get some code
get '/' do haml :index end post '/' do if params[:username] == 'admin' raise "can't log in as admin, be smarter" end cipher = make_cipher cipher.encrypt cipher.key = CRYPTO_KEY iv = cipher.random_iv
That says the POST variable username is checked and cannot be admin.The key point is that we can use username to bypass since Array is a totally different thing from String.So just modify the form’s field from username to username and it takes effect.The problem is solved so far.
However, the fact that really confuse me is that since username is an Array, why the program manages to run correctly by username which replaces username.
I happened to find some clue later.Just changed the username field to username and added a new POST field username and then submitted it.The program had another error: ArgumentError at / odd number of arguments for Hash, and the backtrace with some new code.
end cipher = make_cipher cipher.encrypt cipher.key = CRYPTO_KEY iv = cipher.random_iv plaintext = Hash[*params.sort.flatten].to_param ciphertext = cipher.update plaintext ciphertext << cipher.final cookies[:iv] = iv cookies[:ciphertext] = ciphertext cookies[:verification] = params[:verification]
Now we can have a clear view on how the cookies are generated.And pay attention to the following code:
plaintext = Hash[*params.sort.flatten].to_param
The params list is sorted and then flattened which means that the inner square brackets  are token out so that [‘admin’] are changed into ‘admin’.